Recent posts

#1
Hello all,

I needed a way to clone my Deciso 750 SSD to a file (to be able to restore the whole installation after a crash or hardware issue). Since booting CloneZilla via an USB stick didn't worked out, I started creating a simple script that was able to do the same from my Mac. A couple of hours later and with some help from AI, an interactive script to clone and restore from/to NVMe was born. Claude assisted in refactoring and here it is. Should be able to handle other use-cases as well (e.g. upgrading to a larger SSD, cloning other appliances etc).

To be able to read the SSD you will need a M.2 SSD NVMe enclosure, I can recommend this one for speed and reliability on Mac, but others should work as well.

If interested, have a look at:
https://github.com/svendt/Clone-NVMe-for-MacOS

Feedback welcome (and be careful when opening the appliance to retrieve the SSD, warranty might be voided).
#2
26.1 Series / Re: IPFire Domain Blocklist ( ...
Last post by nero355 - Today at 12:55:13 AM
Quote from: OPNenthu on February 20, 2026, 09:18:12 PMThis is another Coke vs. Pepsi thing now like Dnsmasq and Kea :P
So is AdGuard vs. Pi-Hole but I would rather see you choose "the wrong one" (AdGuard in this case) than use Unbound which does not have a nice and handy webGUI to manage anything you need and more than that! :P



#Pi-Hole+UnboundFTW!!! ^_^
#3
26.1 Series / Re: move anti-lockout rules to...
Last post by nero355 - Today at 12:46:22 AM
I am not sure if you need the following, but just FYI :

- Create Firewall Rules for the Default LAN Interface/Network that are basically the same as the Default Anti-Lockout Rule.
- If you are 110% sure that you have done it right you can Disable the Default Anti-Lockout Rule.
- Now as long as you Allow at least one of your other networks to access the Default LAN Network they can also access the Default LAN Network and thus also the OPNsense webGUI and SSH too !!

That's it! :)
#4
26.1 Series / Re: Problem with new Firewall
Last post by nero355 - Today at 12:38:03 AM
Quote from: Matt_K on February 20, 2026, 05:28:51 PMHowever, my LAN clients cannot access the internet at all.
What doesn't work EXACTLY ?!

Post some ping/tracert/traceroute/dig/drill/nslookup output for example !!
#5
26.1 Series / Re: Odd defaults for RA and DH...
Last post by nero355 - Today at 12:35:44 AM
Quote from: JamesFrisch on February 20, 2026, 05:17:13 PMI think I am gonna postpone my migration and hope for some kind of migration path tool, like with the new firewall rules.
If you can or can not Enable/Disable DHCP Servers per Interface was one of the things I was curious about and got answered for me in various sources so afterwards I just did the following :

- Export all Static DHCP Mappings from ISC DHCP Server for all Interfaces/Networks.
- Pre-configure KEA DHCP Server and Import the Static DHCP Mappings for each Interface/Network.

Now that it's just a matter of :
- Stopping & Disabling ISC DHCP Server on all your Interfaces.
- Enabling and Starting KEA DHCP Server on all your Interfaces.

Simple as that and I would do the same with DNSmasqd DHCP & DNS Server should I ever need to ;)
#6
26.1 Series / Re: Can't reach LAN from VLANs...
Last post by nero355 - Today at 12:23:53 AM
Quote from: mercxry on February 20, 2026, 03:57:25 PMMaybe I just shouldn't be mixing LAN and VLANs on the same port
It's not recommended, but IMHO it should work just fine in most cases.

However...

Since I am using OPNsense in combination with a UniFi "Core Switch" that's the old 16-port 150 PoE+/PoE model I suggest you do the following :

On your OPNsense Router :
- Keep the Default LAN OPNsense network Untagged directly on the first NIC after the NIC that you are using as WAN.
So if igc0 is WAN then use igc1 just for LAN.
- Then use igc2 for your Main Home Network the same way as LAN : Directly Untagged on the NIC itself.
- Now you have just igc3 left for everything else like IoT and Guest networks.
On this NIC don't use anything Untagged.
However do assign all your remaining VLAN's to this NIC as Tagged.

On your UniFi Switch :
- Create a Switch Port Profile with just VLAN 1 as the Native VLAN which will make it Untagged Traffic.
REMOVE any other VLANs on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc1 NIC of your OPNsense Router.
- Create a Switch Port Profile with just the VLAN that is your Main Home Network as the Native VLAN which will make it Untagged Traffic.
REMOVE any other VLANs on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc2 NIC of your OPNsense Router.
- Create a Switch Port Profile with all your remaining VLANs as Tagged VLAN which will make them all Tagged VLAN Traffic.
REMOVE the Native VLAN on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc3 NIC of your OPNsense Router.

And now everything should work without any issues! ;)

(Well... If your networks all have just the basic Firewall Rules Allow Any to Any Traffic via IPv4 and IPv6 ofcourse... Basically the two Allow Rules that are setup for the OPNsense LAN network by default... You know...)
#7
26.1 Series / Multiple Categories change
Last post by Nephiria - February 20, 2026, 11:01:00 PM
Hi All,

i have migrated to new Firewall Rules.
But i have many Rules with Categories and my questions is:

i need a way to change multiple entry to assign a new categories is that implementet yet?

thanks all.
#8
General Discussion / Re: Proper DNSBLs for Unbound
Last post by OPNenthu - February 20, 2026, 10:18:45 PM
It looks like there's a mention of this in the OPNsense docs but I must have missed it:

https://docs.opnsense.org/manual/unbound.html#predefined-sources

QuoteNote:
The OISD lists are wildcard lists. Meaning that they will block all subdomains of the listed domains. For more information, refer to OISD. This keeps the list small and manageable, but are more effective than regular lists.

So in addition to the Hagezi lists, it looks like the OISD lists are also wildcarded.  The Hagezi ones just aren't marked as such in the doc, but they do use the wildcard version in the Unbound plugin as I noticed.
#9
26.1 Series / Re: IPFire Domain Blocklist ( ...
Last post by OPNenthu - February 20, 2026, 09:18:12 PM
If it's OK I've moved this part of the discussion to https://forum.opnsense.org/index.php?topic=51004.0, so that @abulafia and others can continue discussing about the IPFire lists specifically.

I think I differ with you on the meaning of integrated @Patrick, but it's neither here nor there I guess.  This is another Coke vs. Pepsi thing now like Dnsmasq and Kea :P
#10
25.7, 25.10 Series / Re: Hostwatch - high disk writ...
Last post by Slybunda - February 20, 2026, 09:10:00 PM
thanks for the reply. iv turned the feature off and so far so good no issues