"Recent posts
#1
Russian - Русский / Re: os-xray — плагин Xray-core...
Last post by kingpin_ak - Today at 10:51:51 PMQuote from: Serg on February 24, 2026, 09:27:24 AMПокажите, пожалуйста, скрины GUI.
Можете это же для pfSense сделать?
я сделал, за основу взял пакет ТС, идея такая же, но думаю потом чуть переделать. вот git
#2
General Discussion / os-gdrive-backup setup
Last post by m59s - Today at 10:22:50 PMHi everybody,
newbie here ;-)
I got the os-gdrive-backup plugin installed on OPNSense 26.1.2 but I don't know how to set it up.
According to some AI advice it should be visible amongst the Services, but it doesn't seem the case.
Already tried to reinstall the plugin, as well as rebooting the system, unsuccessfully.
Many thanks for any help.
Marco
newbie here ;-)
I got the os-gdrive-backup plugin installed on OPNSense 26.1.2 but I don't know how to set it up.
According to some AI advice it should be visible amongst the Services, but it doesn't seem the case.
Already tried to reinstall the plugin, as well as rebooting the system, unsuccessfully.
Many thanks for any help.
Marco
#3
Q-Feeds (Threat intelligence) / Inconsistent default sort orde...
Last post by dinguz - Today at 08:58:34 PMI noticed a quirk in the Event Viewer under Security > Q-Feeds Connect: the default sort order is inconsistent. Events are grouped by day in descending order (today first, then yesterday, etc.), but within each day they are sorted ascending by time (00:00 to 23:59).
The result is a non-continuous timeline that makes finding recent events unintuitive: the most recent events of any given day appear at the bottom of that day's group, not at the top.
The workaround is to manually click the timestamp column to re-sort, but the default behavior seems unintentional and is confusing on first encounter.
The result is a non-continuous timeline that makes finding recent events unintuitive: the most recent events of any given day appear at the bottom of that day's group, not at the top.
The workaround is to manually click the timestamp column to re-sort, but the default behavior seems unintentional and is confusing on first encounter.
#4
General Discussion / Re: DNS, DoH, DoT, DoQ, DNSCry...
Last post by Mario_Rossi - Today at 07:49:44 PMI think I've achieved a good level of DNS management.
These are my NAT rules:
You cannot view this attachment.
I take everything not destined for AGH on port 53 and 853 and forward it to AGH.
I take everything not arriving from AGH to Unbound and forward it to AGH (so only AGH can query Unbound).
I take everything not arriving from Unbound/OPNsense to DNSCrypt and forward it to AGH (so only Unbound/OPNsense can query DNSCrypt).
While these are my firewall rules:
You cannot view this attachment.
All local networks can reach AGH on ports 53/443/853 UDP/TCP.
The smart TV on the Guest VLAN can only access the Internet through ports 80 and 443 UDP/TCP; everything else is blocked.
Other objects on the Guest VLAN can only access the Internet.
This is the AGH encryption configuration
You cannot view this attachment.
In the AGH logs, I see that it handles:
Type: A, Simple DNS
Type: AAAA, Simple DNS
Type: A, DNS over TLS
Type: HTTPS, Simple DNS
All DNS traffic (and variants) passing through standard ports should be handled.
Now everything else is missing, and for that I can't find anything better than a Layer-7 filter.
Without paying for external software like Zenarmor, the only valid alternative at home is Suricata.
These are my NAT rules:
You cannot view this attachment.
I take everything not destined for AGH on port 53 and 853 and forward it to AGH.
I take everything not arriving from AGH to Unbound and forward it to AGH (so only AGH can query Unbound).
I take everything not arriving from Unbound/OPNsense to DNSCrypt and forward it to AGH (so only Unbound/OPNsense can query DNSCrypt).
While these are my firewall rules:
You cannot view this attachment.
All local networks can reach AGH on ports 53/443/853 UDP/TCP.
The smart TV on the Guest VLAN can only access the Internet through ports 80 and 443 UDP/TCP; everything else is blocked.
Other objects on the Guest VLAN can only access the Internet.
This is the AGH encryption configuration
You cannot view this attachment.
In the AGH logs, I see that it handles:
Type: A, Simple DNS
Type: AAAA, Simple DNS
Type: A, DNS over TLS
Type: HTTPS, Simple DNS
All DNS traffic (and variants) passing through standard ports should be handled.
Now everything else is missing, and for that I can't find anything better than a Layer-7 filter.
Without paying for external software like Zenarmor, the only valid alternative at home is Suricata.
#5
26.1 Series / Re: Wireguard VPN
Last post by leony - Today at 07:01:44 PMQuote from: Patrick M. Hausen on Today at 05:57:21 PMYou should have assigned WAN to the PPPoE interface. PPPoE and WAN are supposed to be one and the same thing if your uplink works via PPPoE.
You are right, the problem was the interface assignments and in return wrong firewall entries.
All good now thanks for your help.
#6
Hardware and Performance / Re: DEC3920 Quick Review
Last post by dirtyfreebooter - Today at 06:50:47 PMi stumbled across this bug discussing the i226 TX hang on FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279245
there is shell script, aspm_disable attached at the bottom, you can easily disable ASPM on PCI device.
interestingly enough, disabling ASPM on igc1 had no noticeable effect on the idle power consumption.
i was able to completely eliminate the Oerrs by using traffic shaper. my bufferbloat grade was a C, so i did the traffic shaping from the OPNsense docs and got an A+, slightly lower max bandwidth, but now the WAN interface is overwhelming the ONT.
and also dialed back on the tunables, once traffic shaping seem to eliminate all interface errors.
# make sure ax0 and igc1 don't overlap cpus, leave cpu 0 for system interrupts
# igc tweaks
# enable RSS
# enabled zenarmor, increased buffers to prevent netmap full errors in dmesg
# factory defaults
there is shell script, aspm_disable attached at the bottom, you can easily disable ASPM on PCI device.
Code Select
# pciconf -l | grep igc
igc0@pci0:1:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
igc1@pci0:2:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
igc2@pci0:3:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
igc3@pci0:4:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000
# aspm_disable 02:00.0
PCIe capability found at offset 0xa0
Link Control offset: 0xb0
Current Link Control: 0x0042
New Link Control (ASPM disabled): 0x0040
setpci -s 02:00.0 b0.w=0040
ASPM disabled for 02:00.0.
interestingly enough, disabling ASPM on igc1 had no noticeable effect on the idle power consumption.
i was able to completely eliminate the Oerrs by using traffic shaper. my bufferbloat grade was a C, so i did the traffic shaping from the OPNsense docs and got an A+, slightly lower max bandwidth, but now the WAN interface is overwhelming the ONT.
and also dialed back on the tunables, once traffic shaping seem to eliminate all interface errors.
# make sure ax0 and igc1 don't overlap cpus, leave cpu 0 for system interrupts
Code Select
dev.ax.0.iflib.core_offset=1
# igc tweaks
Code Select
dev.igc.1.fc=0
# enable RSS
Code Select
net.inet.rss.bits=3
net.inet.rss.enabled=1
net.isr.bindthreads=1
net.isr.maxthreads=-1
# enabled zenarmor, increased buffers to prevent netmap full errors in dmesg
Code Select
dev.netmap.admode=2 # added by zenarmor
dev.netmap.buf_num=1000000 # added by zenarmor
dev.netmap.generic_rings=4
dev.netmap.generic_ringsize=2048
dev.netmap.ring_num=1024 # added by zenarmor
dev.netmap.ring_size=131072
# factory defaults
Code Select
hw.ibrs_disable=1
vm.pmap.pti=0
ice_ddp_load=YES
#7
26.1 Series / Re: Wireguard VPN
Last post by Patrick M. Hausen - Today at 05:57:21 PMYou should have assigned WAN to the PPPoE interface. PPPoE and WAN are supposed to be one and the same thing if your uplink works via PPPoE.
#8
25.7, 25.10 Series / Re: some LDAP users was automa...
Last post by bran.ko - Today at 05:08:16 PM/var/log/system/latest.log is clear only systemctl log is here with some activity, and acme logs
/var/log/audit/latest - is clear also
crontab -e
yes there is some scheduled scripts - byt nothing suspisious
firewall has installed all patches/updates
Code Select
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="26"] event @ 1775859304.15 msg: Apr 11 00:15:04 firewall config[56811]: config-event: new_config /conf/backup/config-1775859304.1084.xml
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="28"] event @ 1775859304.15 exec: system event config_changed response: OK/var/log/audit/latest - is clear also
crontab -e
yes there is some scheduled scripts - byt nothing suspisious
firewall has installed all patches/updates
#9
26.1 Series / Re: Wireguard VPN
Last post by leony - Today at 05:01:52 PMI have finally resolved the problem. The answer was my original question. Shall the firewall rules be applied to the WAN or PPPoE Interface?
I have removed the WAN firewall entry and added the same to the PPPoE Interface and that did the trick.
To all having the same problem, this is the answer. Many thanks
I have removed the WAN firewall entry and added the same to the PPPoE Interface and that did the trick.
To all having the same problem, this is the answer. Many thanks
#10
26.1 Series / Re: SUPPORT NEEDED - Reply-to ...
Last post by Oriann - Today at 04:29:50 PMQuote from: sopex8260 on April 10, 2026, 02:43:09 PMHave you tried sticky connections with a long timeout?
Sticky connections have nothing to do with my problem they are used in load-balancing not in failover (what is my case). Specifically in failover mode you need to drop connections and reestablish them otherwise old connections will hang and wait for timout.
