Recent posts

#1

26.1 Series / Re: OPNsense System Tunables C...

Last post by opnessense - Today at 06:46:58 AM

Thanks all for the feedback.

My box is an N5105 with 16 GB RAM and 4× i226‑V, and at the moment I don't have any real issues: CPU is around 7–10%, RAM ~37%, temps ~24 °C and I'm getting full line speed.

I was looking at nightcomdev's tunables more as a reference to better understand what each sysctl does, not to blindly copy the whole list. After reading your comments, I've decided to keep the system mostly on defaults and, instead of applying the whole list, only consider a very small, hardware‑oriented subset for the i226‑V NICs:

hw.pci.enable_aspm=0
dev.igc.0.eee_control=0
dev.igc.1.eee_control=0
dev.igc.2.eee_control=0
dev.igc.3.eee_control=0
dev.igc.0.fc=0
dev.igc.1.fc=0
dev.igc.2.fc=0
dev.igc.3.fc=0
net.inet.tcp.tso=0

The idea is just to harden NIC behaviour and avoid known i226 quirks (ASPM/EEE/flow control/TSO), without touching RFC compliance or radically changing the TCP/IP stack. I'll only go beyond this minimal set if I ever run into concrete, measurable problems (e.g. NIC issues, jitter, or moving to 2.5 Gbps).

So for now I'll leave any further tuning aside and stick with "if it isn't broken, don't fix it". Thanks again for the cautions and explanations.

#2

German - Deutsch / Re: RDNNS Problem

Last post by Monviech (Cedrik) - Today at 06:33:43 AM

@Meyergru

Könnte man validieren um die eingabe zu verhindern, if string starts with ::. Mach ich bei dnsmasq ein paar mal. Bitte issue oder PR damit man das diskutieren kann.

@mik_schreiber

Es fühlt sich so an als ob hier zuviel in der shell rumgespielt wurde, und die genauen Schritte zur reproduzierung fehlen immer noch. Ich halte mich hier jetzt raus bis es wirklich actionable info gibt.

EDIT: Okay gibt eine issue, danke. https://github.com/opnsense/core/issues/9967

#3

Development and Code Review / Re: claude ids demo

Last post by spen1995 - Today at 05:34:22 AM

also worth mentioning code might not be perfect. as built with help of claude code. use at own risk.

#4

Development and Code Review / Re: claude ids demo

Last post by spen1995 - Today at 05:16:39 AM

here is the link if you wish to try it
https://drive.google.com/file/d/1H5655Ecwd3lSgoFOSmgCLjqVJ0GCcE82/view?usp=drive_link

[ClaudeIDS — Claude AI Alert Triage Plugin for OPNsense]

#5

Development and Code Review / claude ids demo

Last post by spen1995 - Today at 05:15:32 AM

[size=18]ClaudeIDS — Claude AI Alert Triage Plugin for OPNsense[/size]

Integrates the Anthropic Claude AI API into OPNsense as a native MVC plugin for automated IDS/IPS alert triage. Turns raw Suricata eve.json events into structured, actionable security intelligence — severity rating, block/monitor/investigate verdict, MITRE ATT&CK tactic, extracted IOCs, confidence score, and a plain-English recommended action.

Tested on OPNsense 25.x. Built and shared by gh0st.


(Screenshot: Claude IDS triage console showing a live result with MITRE tactic, IOCs, confidence score and auto-block button)


[size=14]What it does[/size]

• Manual triage console — paste any Suricata eve.json line, Zenarmor alert, or raw log entry and get a full structured triage result in seconds
  
• Auto-triage daemon — a background Python watcher tails eve.json and automatically triages every alert/anomaly event as it fires
  
• Auto-block integration — when Claude returns a block verdict above your configured severity threshold, the source IP is added to a named pf alias table automatically
  
• MITRE ATT&CK mapping — every result includes the relevant tactic, IOC list, confidence score (0–100), and a specific recommended action
  
• Native OPNsense MVC plugin — full plugin structure with model, controller, view, ACL, and menu registration. Appears under Services in the sidebar just like any other plugin
  
• Configurable — choose your Claude model (Sonnet recommended, Haiku for high-volume, Opus for depth), max tokens, block severity threshold, alias name, and eve.json path
  

[size=14]Example triage output[/size]

Input: a Suricata ET SCAN Potential SSH Scan alert from an external IP targeting port 22.

Code Select Expand

{
  "status": "ok",
  "severity": "medium",
  "verdict": "investigate",
  "summary": "External IP 198.51.100.22 is conducting potential SSH scanning
              activity against internal server 10.0.0.1 on port 22.",
  "reasoning": "The alert indicates reconnaissance activity with unidirectional
               traffic (4 packets sent, 0 received) suggesting connection attempts
               without successful establishment. The source IP is probing SSH
               which could indicate automated scanning or brute force preparation.",
  "recommended_action": "Check firewall logs for additional connection attempts
                         from this IP, review SSH auth logs on 10.0.0.1, and
                         consider rate limiting or blocking if pattern continues.",
  "src_ip": "198.51.100.22",
  "dst_ip": "10.0.0.1",
  "ioc": ["198.51.100.22"],
  "mitre_tactic": "Discovery",
  "confidence": 75,
  "timestamp": "2026-03-15T03:55:13Z"
}


[size=14]Requirements[/size]

• OPNsense 23.x or later (tested on 25.x / FreeBSD 14)
• Anthropic API key — sign up at console.anthropic.com, requires credits (very cheap — Haiku is ~$0.001 per triage)
  
• Suricata IDS running with eve.json output enabled (for auto-triage)
• PHP 8.x and Python 3.x — both bundled with OPNsense, nothing extra to install

[size=14]Installation[/size]

Step 1 — Download
Download claudeids-plugin.tar.gz attached to this post.

Step 2 — Copy to your OPNsense box

Code Select Expand

scp claudeids-plugin.tar.gz root@192.168.1.1:/tmp/

Step 3 — SSH in and run the install script

Code Select Expand

ssh root@192.168.1.1
cd /tmp && tar -xzf claudeids-plugin.tar.gz && sh claudeids-plugin/install.sh

The script copies all files, registers the plugin, clears caches, and restarts the web GUI automatically.

Step 4 — Hard refresh your browser

Press Ctrl+Shift+R. Claude IDS will appear under Services in the left sidebar.

Step 5 — Add your API key

Go to Services → Claude IDS → Settings. Paste your Anthropic API key, click Save Settings, then Test API Connection. The status chip in the top-right will turn green.

Step 6 (optional) — Set up auto-block

• Go to Firewall → Aliases → Add
  
• Name: ClaudeIDS_Blocklist, Type: Host(s), leave content empty
  
• Create a firewall block rule using this alias as the source
• Back in Claude IDS Settings, enable Auto-block on verdict: block
  

Step 7 (optional) — Enable auto-triage

In Settings, toggle on Auto-triage daemon. This starts a background watcher that tails your Suricata eve.json and triages every alert automatically. Results appear in the History tab and are logged to /var/log/claudeids/triage.json.


[size=14]File layout (what gets installed)[/size]

Code Select Expand

/usr/local/etc/inc/plugins.inc.d/claudeids.inc          plugin registration
/usr/local/opnsense/mvc/app/
  controllers/OPNsense/ClaudeIDS/
    IndexController.php                                  UI page controller
    Api/TriageController.php                             REST API + Claude calls
  models/OPNsense/ClaudeIDS/
    ClaudeIDS.xml / ClaudeIDS.php                        settings model
    ACL/ACL.xml                                          access control
    Menu/Menu.xml                                        sidebar registration
  views/OPNsense/ClaudeIDS/
    index.volt                                           dashboard UI
/usr/local/sbin/claudeids-watcher.py                    auto-triage daemon
/usr/local/opnsense/service/conf/actions.d/claudeids.conf  configd actions
/var/log/claudeids/triage.json                          triage history (runtime)
/var/log/claudeids/watcher.log                          daemon log (runtime)


[size=14]REST API endpoints[/size]

All endpoints require an OPNsense authenticated session (same as any other API call).

Code Select Expand

POST /api/claudeids/triage/analyze      triage a single alert (alert=<string>)
POST /api/claudeids/triage/batch        triage an array     (alerts=<json array>)
GET  /api/claudeids/triage/history      last 200 triage records
POST /api/claudeids/triage/block        manually block an IP (ip=<addr>)
GET  /api/claudeids/triage/getSettings  read current settings
POST /api/claudeids/triage/saveSettings write settings to config.xml


[size=14]Uninstalling[/size]

Code Select Expand

sh /tmp/claudeids-plugin/uninstall.sh

Stops the daemon and removes all installed files. Your API key and settings remain in /conf/config.xml under //OPNsense/ClaudeIDS — remove manually if desired.


[size=14]Important notes[/size]

• Use sh install.sh — not ./install.sh. OPNsense uses tcsh as its default shell. The install script must be run explicitly with sh to get a POSIX shell.
  
• Not an official plugin. This is a community plugin installed manually. It will not survive a full factory reset. Re-run install.sh after major OPNsense firmware upgrades.
  
• API key security. The Anthropic API key is stored in OPNsense's config.xml. Enable config encryption if you haven't already (System → Settings → Administration → Secure Shell), and restrict config backup access.
  
• Zenarmor. Zenarmor does not write to eve.json. Use the manual triage console to paste Zenarmor alerts, or pipe /var/log/sunny.log to the API endpoint manually.
  
• Model choice. claude-sonnet-4 is recommended for balanced quality and cost. Use claude-haiku-4 for high-volume auto-triage on busy networks. claude-opus-4 for the most thorough analysis on critical alerts.
  

[size=14]How it works internally[/size]

The plugin sends each alert to the Claude API with a security analyst system prompt that instructs it to return a strict JSON object. The system prompt is tuned for OPNsense/Suricata context — it knows about Zenarmor categories, Suricata severity levels, and common home lab / small business threat patterns. The PHP controller strips any markdown fences from the response, parses the JSON, and returns it to the UI or logs it to the history file.download her

The auto-triage watcher is a plain Python 3 script that uses only stdlib (no pip installs needed). It reads the eve.json path from the OPNsense config via the REST API, seeks to EOF on startup, and processes new lines as they appear. It re-fetches settings every 60 seconds so changes in the UI are picked up without a restart.


[size=12]Built by gh0st — MIT License — feedback and PRs welcome[/size]

#6

Hardware and Performance / Re: DEC3920 / DEC3940 / DEC396...

Last post by pfry - Today at 04:49:09 AM

i don't think its any of those based on the TDPs.[...]

They look OK to me. ~30W idle, ~150W max. My own firewall is similar (a 7700X), but with a bit higher power limit.

But yes, if it was up to me I'd publish more data. And send one to ServeTheHome. The folks there really don't have a complete firewall test suite (I'd like to see e.g. session setup rate and time to set up, say, 1500 VPNs), but I don't know of any review site that does.

#7

26.1 Series / 26.1.4 Update Took Everything ...

Last post by Disperser5395 - Today at 04:10:50 AM

I was attempting to install the acme community plugin. I've been running OPNSense for about three years with no problems. I saw that I needed an update to install the plugin. Updated to 26.1.4.
Upon reboot I had nothing. No connection to the internet. No WAN gateway. None of my firewall rules working.
Before shutting down and using a commercial wifi router I have lying around, I did notice something about new firewall rules. Seems strange that would take down my entire network, though.
At this point I'll need to start fresh. Is there a guide that encompasses whatever seemingly major changes have been made lately? I'm not an OPNSense expert, obviously, but I was using it to do everything I needed with Suricata and Mullvad working just fine. At this point I would be installing OPNSense from the beginning and going through setup. The installers I'm seeing appear to go back a few months.   that makes me think a fresh install will put me back in the same position as soon as I update. Again, is there a guide that includes whatever changes were made to the system so that I can start from there? Thanks everyone!

#8

Hardware and Performance / Re: DEC3920 / DEC3940 / DEC396...

Last post by dirtyfreebooter - Today at 03:02:51 AM

i don't think its any of those based on the TDPs. *shrug*. zenarmor being singled threaded, i just would like to support opnsense, but this sort of hiding of information is nonsense, if i am going to spent $2000+ on a router, i'd like to know the exact specs.

#9

26.1 Series / Re: IPV6 redirect to unbound D...

Last post by OPNenthu - Today at 02:07:55 AM

I think there's clearly a misconfiguration here, possibly with his IPv6 addressing or interface assignments.  We'd need the setup details to try and spot it.

@falken I prefer to redirect only the non-local requests because if something is trying to reach DNS on an internal address which does not provide DNS on my network, I don't want that to go through.  I want that blocked and logged because it's abnormal.  YMMV.

#10

26.1 Series / New Guy

Last post by Datsys - Today at 01:52:53 AM

Howdy,
I'm a new kid on the block here and I am hoping for some help. My objective is two fold. Firstly, to make use of OPNSense in giving some system units that have been retired due to the end of Windows 10. Secondly, I want to use it along with DynFi Manager to provide remote management and support.

In the area of deploying OPNSense, I would appreciate information about making it as secure as possible. Here I am hoping to hear about suggested configuration an rules that should be put in to achieve this.

On the use of DynFi manager, I am hoping there are some users here who can let me know some things they have found/used to make it work as well as it can.

Really hoping for some response.