Recent posts

#21

General Discussion / Re: Trouble with VLAN setup on...

Last post by pfry - November 24, 2025, 06:24:11 PM

Forgive me if I fail to understand the setup but aren't these two ends only access ports in reality? What is marking the packets with a VLAN tag if there is no managed switch there to do it?

The endpoints/access ports. It's segregation with extra steps. Without virtual system or VRF support it's (almost*) entirely rule-based, but what the heck, it's a choice. The bridge adds a bit of a twist, but I can't think of anything really unique about it as described. Setting up VLANs might make insertion of a switch at some point easier.

In this case, it's a troubleshooting opportunity, so to speak.

And of course there may be aspects I'm missing.

* You could get into different Ethernet attributes, but again, I can't think of any real difference between VLAN segregation and none.

#22

German - Deutsch / Re: Wireguard VPN Verbindung a...

Last post by meyergru - November 24, 2025, 06:22:27 PM

Hast Du Firewall-Regeln definiert, die den Zugriff erlauben? Die Eintragungen im Wireguard selbst reichen dafür nicht.

Damit kommst Du nur bis zur Tunnel-IP - damit kannst Du übrigens auch checken, ob die WG-Verbindung wirklich funktioniert.

#23

Zenarmor (Sensei) / Re: Zenarmor Packet Engine Not...

Last post by sy - November 24, 2025, 05:32:42 PM

Hi,

"dev.netmap.ring_size" could be maximum 1024. Please chance it.

#24

German - Deutsch / Wireguard VPN Verbindung aufge...

Last post by BeTZe313 - November 24, 2025, 04:20:44 PM

Hallo Zusammen,
ich habe bei mir auf der OPNsense WireguardVPN installiert und konfiguriert. Auf deinem Windwos PC habe ich jetzt den Client installiert und auch konfiguriert. Laut Log im Client wird eine Verbindung aufgebaut. In Status der OPNsense steht die Verbindung auf auf grün.

Leider habe ich aber das Problem, dass ich über den Windwos PC nicht auf der Netzwerk der OPNsense zgreifen kann. Wenn ich z.B. die OPNsense anpinge oder im Browser die Config öffnen will, klappt das nicht. Genauso auch nicht anders herum.

Meine Config sieht jetzt so aus:
OPNsense
Instance (WG1)
Public Key und private Key generiert
Listen port: 51820
Tunnel Address: 10.123.123.1/24
Peers: externer PC

Peer
Public Key vom Windows PC
Allowed IPs: 10.132.132.11/32
Endpoint address: feste ip Windows pc
Endpoint Port: 51820
Instance: WG1
Keepalive interval: 25

Windows PC
Interface
PrvateKey
Address = 10.123.123.11/32
DNS: 10.123.123.1

Peer
PublicKey: von der OPNsense
AllowedIPs: 10.123.123.0/24
Endpoint: feste ip OPNsense:51820

Log vom Windwos PC
2025-11-24 16:18:01.303913: [TUN] [WBR] Retrying handshake with peer 1 (feste ip OPNsense:51820) because we stopped hearing back after 15 seconds
2025-11-24 16:18:01.303913: [TUN] [WBR] Sending handshake initiation to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.330953: [TUN] [WBR] Receiving handshake response from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.330953: [TUN] [WBR] Keypair 2 created for peer 1
2025-11-24 16:18:01.330953: [TUN] [WBR] Sending keepalive packet to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:01.351185: [TUN] [WBR] Receiving keepalive packet from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.220642: [TUN] [WBR] Retrying handshake with peer 1 (feste ip OPNsense:51820) because we stopped hearing back after 15 seconds
2025-11-24 16:18:17.220642: [TUN] [WBR] Sending handshake initiation to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.246537: [TUN] [WBR] Receiving handshake response from peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.246537: [TUN] [WBR] Keypair 1 destroyed for peer 1
2025-11-24 16:18:17.246537: [TUN] [WBR] Keypair 3 created for peer 1
2025-11-24 16:18:17.246537: [TUN] [WBR] Sending keepalive packet to peer 1 (feste ip OPNsense:51820)
2025-11-24 16:18:17.267705: [TUN] [WBR] Receiving keepalive packet from peer 1 (feste ip OPNsense:51820)

Hat jemand vielleicht eine Idee, woran das liegen kann, dass ich im anderen Netz nichts erreiche?

Danke im voraus.

#25

General Discussion / Re: Trouble with VLAN setup on...

Last post by cookiemonster - November 24, 2025, 03:20:17 PM

Forgive me if I fail to understand the setup but aren't these two ends only access ports in reality? What is marking the packets with a VLAN tag if there is no managed switch there to do it?

#26

General Discussion / Weird DHCP Problem?

Last post by spetrillo - November 24, 2025, 02:47:06 PM

Morning all,

I seem to be having a very weird DHCP problem with my wireless devices only. I am not sure if DHCP is the real problem or what is just showing up as the problem. Every 6 hours or so my wireless devices seem to lose connectivity, meaning they try to obtain an IP and cannot. It fails, so that is why I am saying DHCP. Now here comes the weird part. I reboot my OPNsense firewall and connectivity is restored.

What would you look at to determine what is happening? I see nothing obvious in the DHCP logs, but either my wireless subnet loses its gateway or DHCP is doiing something funny.

Thanks,
Steve

[32Gb ram + 1T ssd]

#27

Hardware and Performance / Re: N150 / N355 good fits?

Last post by Seimus - November 24, 2025, 02:36:44 PM

IDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.

Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.

I will added here the blanks to @meyergru response.

ZA still doesn't officially support multi-core. Its in development. Further more it seems they will really go with a pay wall for this feature.
You can read the following and make your own opinion > https://forum.opnsense.org/index.php?topic=41295.0

N355 Single core performance is bit better than the N150. So granted the performance on ZA should be bit better, but don't expect 10G throughput. I am currently unaware of any cheap low powered CPU that could handle this. And I would argue that not even the official DEC can do it. (Maybe the devs did test the enterprise classed DECs and can confirm? :))

If you don't use non-multicore based IDSes you have a chance to get 10G throughput. The N100/N150 can handle 2.5G throughput on single core without IDS.

I have listed these with 32Gb ram + 1T ssd:
N150 (+-450€)
N355 (+-560€)
N355 (+-704€) <- the one with 4x2.5G instead of 2x.
i5 1334U (850€) 4x2.5G, 20pci lanes vs 9.

These prices are crazy. I bought like last week for LAB a N355 2x10G AQC113 + 4x2.5G i226-V for way less providing my own RAM and NVME.

Regards,
S.

#28

German - Deutsch / Re: OPNSense Business 25.4.2 -...

Last post by viragomann - November 24, 2025, 02:35:38 PM

Danke für den Hinweis. Das sollte man wissen.

Wäre wünschenswert, wenn die GUI nicht kompatible Zeichen nicht erlauben würde, bzw. wenn zumindest ein Hinweis vorhanden wäre. Aber leider nichts davon.
Ich habe Minus im Namen. Das macht kein Problem. Zufällig.

#29

German - Deutsch / Re: OPNSense Business 25.4.2 -...

Last post by Daniel.Hauptmann - November 24, 2025, 01:37:06 PM

Habe das Problem lösen können. Es lag "nur" daran, das unter VPN -> IPSec -> Connections -> Pools: Im "Namensfeld" ein Eintrag mit dem Sonderzeichen "." "Punkt" vorhanden war. Habe diesen gelöscht und einen neuen erstellt ohne dieses Sonderzeichen und alles funktioniert wie gewollt!

#30

General Discussion / Re: DNS Unbound Issue

Last post by viragomann - November 24, 2025, 01:31:56 PM

Do you get NXDOMAIN also if you disable the VPN?