"Recent posts
#11
High availability / Re: Connectivity from a HA sec...
Last post by crlt - Today at 07:17:46 AMI recently setup iBGP for some internal services so I thought I would attempt this with eBGP between my two HA opnsense nodes. In the end I was able to achieve this with active/active BGP on each router (each having a unique router-id). However there seems to be an issue (bug? expected?) during failover and/or maintenance mode (mainly happen when one router is put into maintenance mode but not always) where an erroneous route is installed which not only breaks routing between sites but sends the traffic out of the WAN interface. The only way to fix it is to stop FRR and start it (restarting does not fix it). I suspect the cause is that routes are added before the wireguard site-to-site tunnel is ready.
This is the output in the FRR routing table. The second entry is supposed to be the site-to-site wireguard interface with it's tunnel address.
CODE NETWORK ADMIN DISTANCE METRIC INTERFACE INTERFACE_NAME VIA
B>* 10.20.10.0/24 20 0 <blank> <blank> 192.168.20.251
B>* 10.20.10.0/24 20 0 igb1 wan01 <WAN-IP>
After multiple steps to troubleshoot I gave up and figured that the potential for unexpected behavior during failover/maintenance was not worth it and eventually reverted back. Active/backup BGP does not solve it since the FRR daemon does not run on the backup I cannot reach the services on the site like I originally sought out to do.
This is the output in the FRR routing table. The second entry is supposed to be the site-to-site wireguard interface with it's tunnel address.
CODE NETWORK ADMIN DISTANCE METRIC INTERFACE INTERFACE_NAME VIA
B>* 10.20.10.0/24 20 0 <blank> <blank> 192.168.20.251
B>* 10.20.10.0/24 20 0 igb1 wan01 <WAN-IP>
After multiple steps to troubleshoot I gave up and figured that the potential for unexpected behavior during failover/maintenance was not worth it and eventually reverted back. Active/backup BGP does not solve it since the FRR daemon does not run on the backup I cannot reach the services on the site like I originally sought out to do.
#12
General Discussion / Seeking advice for first Guest...
Last post by Seldon - Today at 06:36:09 AMHi everyone,
I'm fairly new to tinkering with firewalls, so I'm bound to make lots of mistakes, so I'd thought I'd might dip my toes in by creating a guest VLAN and trying out some Rules, and wanted to get some feedback. I have a screenshot of my Rules attached. Anything to look out for, missing, general advice? Are there any must have Rules for guest networks over others? Did I make any mistakes? :)
I'm fairly new to tinkering with firewalls, so I'm bound to make lots of mistakes, so I'd thought I'd might dip my toes in by creating a guest VLAN and trying out some Rules, and wanted to get some feedback. I have a screenshot of my Rules attached. Anything to look out for, missing, general advice? Are there any must have Rules for guest networks over others? Did I make any mistakes? :)
#13
General Discussion / Can I inststall smokeping on o...
Last post by Meg - Today at 06:12:43 AMHi: Can I install Smokeping directly on Opnsense. I have seen this question in some old forum articles and have seen online one person that had it working on older Opnsese. Since the package for smokeping exists for both FreeBSD - https://www.freshports.org/net-mgmt/smokeping/ and HardenedBSD - https://github.com/HardenedBSD/hardenedbsd-ports/tree/master/net-mgmt/smokeping, I was wondering if there is an easy way to deploy it on OPNsense. I already tried and had issues with dependancies and conflicts with sunnyvally repositories. Has anyone got it to work on newer versions of Opnsense.
#14
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - Today at 05:47:04 AM@neel You mean a bootable USB image with the interactive installer? You should be able to build this with the official github.com/opnsense/tools. Have you tried that?
If you don't want to build everything from scratch, you can prefetch the sets from my repo (see first post).
We've also recently added aarch64 support to opnsense-bootstrap, so another option is to install FreeBSD 14.3 first (using one of their official images) and then convert it to OPNsense.
(Update 25.7.9 is in work.)
If you don't want to build everything from scratch, you can prefetch the sets from my repo (see first post).
We've also recently added aarch64 support to opnsense-bootstrap, so another option is to install FreeBSD 14.3 first (using one of their official images) and then convert it to OPNsense.
(Update 25.7.9 is in work.)
#15
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - Today at 05:43:00 AMI dont have an idea right now. I also know of customers for who it works as it is right now when using Outlook.
Caddy works because there is an NTML plugin compiled in (I maintain the Caddy plugin too). Though as NTML is deprecated I wonder how long that will still work.
If it works for Sophos UTM please connect to it via SSH and extract the apache config and post it here, maybe we can spot a difference to our apache config.
Caddy works because there is an NTML plugin compiled in (I maintain the Caddy plugin too). Though as NTML is deprecated I wonder how long that will still work.
If it works for Sophos UTM please connect to it via SSH and extract the apache config and post it here, maybe we can spot a difference to our apache config.
#16
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped ...
Last post by Netlearn - Today at 04:44:19 AMYou cannot view this attachment.
Three of them have no problem, two of them don't seem to be happy with the file format.
Three of them have no problem, two of them don't seem to be happy with the file format.
#17
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped ...
Last post by Netlearn - Today at 04:42:34 AMIn five different OPNsense, all of them on 25.7.9:
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
#18
Q-Feeds (Threat intelligence) / Re: Traffic from unassigned su...
Last post by Seimus - Today at 02:01:42 AMQuote from: Kets_One on December 05, 2025, 10:22:39 PMHi, thanks for the information. Does that mean that all TOR nodes (exists and relays) are on the list?
One those that are flagged for suspicious activity. This applies to any "IoC", that's why ppl often have VPNs blocked.
Regards,
S.
#19
Hardware and Performance / Re: Suggestion for Bufferbloat...
Last post by Seimus - Today at 01:55:02 AMIt should be set based on the Interface you apply the Shaping on (defined by the rule). Also for the standard MTU size ~1500B you can let Quantum on default. As the default covers the 1500B + 14B of the hardware header.
Very rarely there is a need to change the Quantum. Most use cases when Quantum is needed to be changed are sub 100Mbit speeds or when using Jumbo frames.
Regards,
S.
Very rarely there is a need to change the Quantum. Most use cases when Quantum is needed to be changed are sub 100Mbit speeds or when using Jumbo frames.
Regards,
S.
#20
General Discussion / No NUT UPS Status
Last post by kiekar - Today at 01:41:20 AMHello,
I'm trying to get NUT setup with no luck. My goal is to setup NUT as Master in OPNsense and have my Unraid Server setup in client mode. After entering the information in the Nut: configuration and rebooting I have nothing showing in the UPS status tab.
Configuration setup:
Enable Nut: selected
Service Mode: Standalone
Name: APC
Listen Address: 127.0.0.1
UPS Type:
USBHID-Driver which I selected
I ran a couple commands in the shell with outputs below.
nut-scanner -U
Scanning USB bus.
[nutdev-usb1]
driver = "usbhid-ups"
port = "auto"
vendorid = "051D"
productid = "0002"
product = "Back-UPS XS 1300G FW:864.L8 .D USB FW:L8"
serial = "************"
vendor = "American Power Conversion"
# bus = "000"
# device = "002"
# busport = "004"
upsdrvctl start
Network UPS Tools - UPS driver controller 2.8.2
Network UPS Tools - apcupsd network client UPS driver 0.72 (2.8.2)
Error: UPS [APC] is for driver usbhid-ups, but I'm apcupsd-ups!
upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it
Driver failed to start (exit status=1).
It may look like i have an issue with the driver but I'm not certain. I did have apcupsd plugin installed but it has been removed.
How can I get working. Your help would be much appreciated.
Thanks
I'm trying to get NUT setup with no luck. My goal is to setup NUT as Master in OPNsense and have my Unraid Server setup in client mode. After entering the information in the Nut: configuration and rebooting I have nothing showing in the UPS status tab.
Configuration setup:
Enable Nut: selected
Service Mode: Standalone
Name: APC
Listen Address: 127.0.0.1
UPS Type:
USBHID-Driver which I selected
I ran a couple commands in the shell with outputs below.
nut-scanner -U
Scanning USB bus.
[nutdev-usb1]
driver = "usbhid-ups"
port = "auto"
vendorid = "051D"
productid = "0002"
product = "Back-UPS XS 1300G FW:864.L8 .D USB FW:L8"
serial = "************"
vendor = "American Power Conversion"
# bus = "000"
# device = "002"
# busport = "004"
upsdrvctl start
Network UPS Tools - UPS driver controller 2.8.2
Network UPS Tools - apcupsd network client UPS driver 0.72 (2.8.2)
Error: UPS [APC] is for driver usbhid-ups, but I'm apcupsd-ups!
upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it
Driver failed to start (exit status=1).
It may look like i have an issue with the driver but I'm not certain. I did have apcupsd plugin installed but it has been removed.
How can I get working. Your help would be much appreciated.
Thanks
