"Recent posts
#1
Hardware and Performance / Debian on DEC4640
Last post by micha - Today at 01:59:37 PMHi there!
Does anyone have any experience installing Debian 13 or Proxmox on a DEC4640 OPNsense firewall appliance from Deciso?
/micha
Does anyone have any experience installing Debian 13 or Proxmox on a DEC4640 OPNsense firewall appliance from Deciso?
/micha
#2
General Discussion / Re: FIB/VRF support in OPNsens...
Last post by cluck - Today at 01:38:04 PMMulti-WAN stability would greatly improve if 'gateway groups' and WAN interfaces would be implemented on top of dedicated FIBs instead of policy routing.
Such setups are notoriously unstable because connections get bound to the wrong local IP address; this is because "monitoring IP host routes", default routes, static routes and dpinger all fight over the same FIB.
Btw., OPNsense 26.1 just broke Multi-WAN completely... maybe a good occasion to "rethink" this feature without the burden of a migration path.
Such setups are notoriously unstable because connections get bound to the wrong local IP address; this is because "monitoring IP host routes", default routes, static routes and dpinger all fight over the same FIB.
Btw., OPNsense 26.1 just broke Multi-WAN completely... maybe a good occasion to "rethink" this feature without the burden of a migration path.
#3
Virtual private networks / Re: NATing LAN2, but not IPSec...
Last post by ivoruetsche - Today at 01:33:10 PM:-) Hehe, would be nice if I can do that.
This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
#4
Q-Feeds (Threat intelligence) / Q-feeds (Community Version): I...
Last post by Richard090969 - Today at 01:32:53 PMTranslate with ChatGPT
Hello,
I have been using the Community Edition of Q-Feeds for quite some time now, but my initial enthusiasm has gradually given way to a certain sense of disappointment.
At the beginning of my testing, Q-Feeds was reliably blocking almost everything. This gave me the impression that, in the long run, it might even be possible to replace CrowdSec entirely with Q-Feeds.
However, after more than seven days, the picture looks quite different. Q-Feeds is now contributing very little, while my static Spamhaus blocklists in combination with CrowdSec are doing most of the work. Q-Feeds is only filtering the small remainder that gets through.
At this point, whether Q-Feeds is active or not in the Community Edition makes no noticeable difference in practice. It is worth mentioning that Q-Feeds is placed at the very top of my rule order.
cu Richard
---Original Deutsch/German---
Hallo,
Ich nutze die Community-Version von Q-Feeds inzwischen über einen längeren Zeitraum. Meine anfängliche Begeisterung ist allerdings inzwischen einer gewissen Ernüchterung gewichen.
Zu Beginn meines Tests hat Q-Feeds nahezu alles zuverlässig blockiert. Dadurch entstand bei mir der Eindruck, dass es perspektivisch eventuell möglich wäre, CrowdSec vollständig durch Q-Feeds zu ersetzen.
Nach inzwischen mehr als sieben Tagen zeigt sich jedoch ein anderes Bild: Von Q-Feeds kommt kaum noch etwas, während meine statischen Spamhaus-Blocklisten in Kombination mit CrowdSec den Großteil der Arbeit übernehmen. Den verbleibenden Rest filtert dann Q-Feeds.
Ob Q-Feeds in der Community-Version bei mir aktiv ist oder nicht, macht in der Praxis aktuell keinen wirklich spürbaren Unterschied. Dabei ist wichtig zu erwähnen, dass Q-Feeds in meiner Regelreihenfolge an erster Stelle steht.
VG Richard
Hello,
I have been using the Community Edition of Q-Feeds for quite some time now, but my initial enthusiasm has gradually given way to a certain sense of disappointment.
At the beginning of my testing, Q-Feeds was reliably blocking almost everything. This gave me the impression that, in the long run, it might even be possible to replace CrowdSec entirely with Q-Feeds.
However, after more than seven days, the picture looks quite different. Q-Feeds is now contributing very little, while my static Spamhaus blocklists in combination with CrowdSec are doing most of the work. Q-Feeds is only filtering the small remainder that gets through.
At this point, whether Q-Feeds is active or not in the Community Edition makes no noticeable difference in practice. It is worth mentioning that Q-Feeds is placed at the very top of my rule order.
cu Richard
---Original Deutsch/German---
Hallo,
Ich nutze die Community-Version von Q-Feeds inzwischen über einen längeren Zeitraum. Meine anfängliche Begeisterung ist allerdings inzwischen einer gewissen Ernüchterung gewichen.
Zu Beginn meines Tests hat Q-Feeds nahezu alles zuverlässig blockiert. Dadurch entstand bei mir der Eindruck, dass es perspektivisch eventuell möglich wäre, CrowdSec vollständig durch Q-Feeds zu ersetzen.
Nach inzwischen mehr als sieben Tagen zeigt sich jedoch ein anderes Bild: Von Q-Feeds kommt kaum noch etwas, während meine statischen Spamhaus-Blocklisten in Kombination mit CrowdSec den Großteil der Arbeit übernehmen. Den verbleibenden Rest filtert dann Q-Feeds.
Ob Q-Feeds in der Community-Version bei mir aktiv ist oder nicht, macht in der Praxis aktuell keinen wirklich spürbaren Unterschied. Dabei ist wichtig zu erwähnen, dass Q-Feeds in meiner Regelreihenfolge an erster Stelle steht.
VG Richard
#5
Virtual private networks / Re: How can I perform selectiv...
Last post by viragomann - Today at 01:32:31 PMYou can redirect the traffic to the desired gateway with a policy-routing rule for direction out on the WAN.
Don't forget to add a proper outbound /source NAT rule. As far as I know, this has to be added to the WAN, but with the translation address of the real outgoing interface.
Don't forget to add a proper outbound /source NAT rule. As far as I know, this has to be added to the WAN, but with the translation address of the real outgoing interface.
#6
Tutorials and FAQs / Re: Install OpnSense on OVH Pu...
Last post by bimbar - Today at 01:27:44 PMHi, I tried that with 26.1 and 25.7, both hang at UEFI, while the vga image does boot, but, as we know, it's in livecd mode, which does not help me.
#7
General Discussion / Re: Development / Community / ...
Last post by LizaM - Today at 01:14:38 PMQuote from: passeri on January 17, 2026, 11:26:28 PMGiven the base is working software, not a development from scratch, I can understand that the release pattern does not follow a conventional cycle such as one might read in Wikipedia. I interpret development as a form of beta which is yet changing for reasons other than bugs. Community I accept as an advanced stable release which may yet have bugs which are fixed under _NN releases. Business is a supported stable release which might be called long term except that its term is not long.That's a sensible breakdown! Clear risk tiers, staged upgrades, and real-world testing beat confusing "alpha/beta" labels any day.
Opnsense is not the only operation to follow a pattern like this, nor the only forum in which it is argued. I think that the conventional namings from alpha through gold, including the word beta, confuse the issue by their prior connotations.
We have a stable base product. On that there is a development offshoot. When that is feature-complete (for this phase) and stable it becomes Community, field testing more advanced features ahead of the low-risk business edition.
The clear implication is that there are three levels of risk for the consumers who must themselves share the risk management as discussed, firstly by selecting in which level they will join and secondly by their own testing and timing of upgrades on one or more of their own systems. Personally I use select Community then upgrade (always with snapshots) through "Does it work for a few hours?" on a reserve box to "Does it work for a few days?" on an internal production box to "Here we go" on the edge router.
#8
French - Français / Filtrage par adresse MAC dans ...
Last post by Serge - Today at 01:14:37 PMEnvironnement :
Mode de fonctionnement : Bridge (avec paramètres net.link.bridge configurés)
Règles firewall appliquées sur l'interface bridge
Mise en place d'un DNS enforcement via NAT redirect (port 53 vers DNS interne)
Problème constaté :
J'ai tenté de mettre en place des règles basées sur des adresses MAC (via des alias) afin d'autoriser certains équipements (VIP) à contourner les restrictions DNS.
Cependant, le comportement observé est incohérent :
Les règles basées sur MAC ne semblent pas appliquées de manière fiable
Le trafic semble être traité principalement sur la base de l'adresse IP
Les mécanismes de NAT (redirection) et de state tracking semblent prendre le dessus sur le filtrage MAC
Mes questions :
Le filtrage par adresse MAC est-il officiellement supporté et fiable dans OPNsense, notamment en mode bridge ?
Comment le moteur pf gère-t-il les adresses MAC dans le processus de filtrage ?
Existe-t-il des paramètres (tunables) spécifiques permettant d'assurer un fonctionnement correct du filtrage MAC ?
Le filtrage MAC est-il compatible avec les règles NAT (port forward / redirection) ?
Quelle est la bonne pratique recommandée pour appliquer des politiques par équipement (MAC vs IP vs autres méthodes) ?
Objectif :
Mettre en place une politique de contrôle DNS fiable, tout en permettant à certains équipements spécifiques de bénéficier d'exceptions.
Si le filtrage MAC n'est pas recommandé, pourriez-vous me confirmer l'approche à privilégier (par exemple : règles basées sur IP, segmentation VLAN, ou intégration avec NAC / 802.1X) ?
Je vous remercie par avance pour votre aide.
Mode de fonctionnement : Bridge (avec paramètres net.link.bridge configurés)
Règles firewall appliquées sur l'interface bridge
Mise en place d'un DNS enforcement via NAT redirect (port 53 vers DNS interne)
Problème constaté :
J'ai tenté de mettre en place des règles basées sur des adresses MAC (via des alias) afin d'autoriser certains équipements (VIP) à contourner les restrictions DNS.
Cependant, le comportement observé est incohérent :
Les règles basées sur MAC ne semblent pas appliquées de manière fiable
Le trafic semble être traité principalement sur la base de l'adresse IP
Les mécanismes de NAT (redirection) et de state tracking semblent prendre le dessus sur le filtrage MAC
Mes questions :
Le filtrage par adresse MAC est-il officiellement supporté et fiable dans OPNsense, notamment en mode bridge ?
Comment le moteur pf gère-t-il les adresses MAC dans le processus de filtrage ?
Existe-t-il des paramètres (tunables) spécifiques permettant d'assurer un fonctionnement correct du filtrage MAC ?
Le filtrage MAC est-il compatible avec les règles NAT (port forward / redirection) ?
Quelle est la bonne pratique recommandée pour appliquer des politiques par équipement (MAC vs IP vs autres méthodes) ?
Objectif :
Mettre en place une politique de contrôle DNS fiable, tout en permettant à certains équipements spécifiques de bénéficier d'exceptions.
Si le filtrage MAC n'est pas recommandé, pourriez-vous me confirmer l'approche à privilégier (par exemple : règles basées sur IP, segmentation VLAN, ou intégration avec NAC / 802.1X) ?
Je vous remercie par avance pour votre aide.
#9
German - Deutsch / Re: Proxmox + OPNsense + VLANs
Last post by silke61 - Today at 01:11:14 PMWie so oft: Habe es kurz nach meinem Post hinbekommen. Ich hatte die Firewall-Regel aus dem VLAN-Netz ins Internet falsch. Ich hatte als Destination das WAN-Netz und damit hat es nicht geklappt. Ich konnte mir nicht vorstellen, daß es "any" sein muß, was ja im Rahmen einer Firewall nicht sonderlich sinnvoll ist, schlißlich will man ja nicht alles offen haben. Lösung war dann eine zusätzliche Block-Regel für die anderen VLANs. Macht die Sache nicht unbedingt übersichtlicher aber es funktioniert erst einmal.
#10
25.1, 25.4 Legacy Series / Re: Bridging two VLAN's togeth...
Last post by davismaria - Today at 12:49:50 PMBridging VLANs for Steam Local Network Game Transfer is a smart move, especially with your internet speed. It sounds like you're on the right track! Make sure that the bridge interface is properly configured and that the firewall rules allow traffic between the VLANs. Sometimes, it helps to check if the devices are on the same subnet after bridging. If you're still having issues, consider checking your switch settings as well. Good luck!
