Recent posts

#21
25.1, 25.4 Series / Re: IPsec Group Authentication
Last post by jerryhze - Today at 06:42:58 AM
I have the same issue. I have created a issue on Github but no update yet.

https://github.com/opnsense/core/issues/9286
#22
I mean you could still use caddy which is more mature in general which will fix most pain points you will have.

It also supports Authentik and I know quite some people using it that way.

If Zoraxy is your personal quest though to improve, go ahead. Not much I can do though.

If I remember the debug logging in lighttpd was also a major pita for me, I disabled syslogging and manually started it and looked at stdout in the console.
#23
Tutorials and FAQs / Re: [HOWTO] OpnSense under vir...
Last post by renew - Today at 05:47:35 AM
Hi,

I am attempting to create a opnsense router on proxmox. I just got my X ONU SFPP today. I Have it in a 10Gtek SFP+ card. I am attempting to install it into a proxmox / opnsense machine. My network is 192.168.1.1, the XONU is at 192.168.11.1 (11 not 1) I have my promox box as 192.168.1.50. I have another computer I connect to the proxmox box through another NIC. Can you  please walk me through the way to connect to the SFP+ on the "11" network? I need to set it up so it becomes my WAN into Opnsense. I am new to opnsense, and yes, I need  to learn alot. Please be precise on how to connect/bridge or however I need to make the connection. And hopefully be kind. Thanks!
#24
25.7, 25.10 Series / Re: No WAN Connectivity with M...
Last post by dhanson - Today at 04:21:24 AM
I had a similar situation, but different circumstances with the same symptoms.  Adding my situation to this post because this was one of the few that I found that matched the symptoms I was seeing.

Upgraded to a new firewall and did a fresh install shortly after fiber became available in my neighborhood.  Had the new system set up, but with 2 WAN connections since my xfinity line was still active, and added the new fiber line from Metronet.

A week after getting it set up and it was running fine, I got a static IP address from Metronet.  I changed the interface for that line to use the static IP address, but when I changed the gateway setting for it, nothing could travel through it.  Especially weird was that I could ssh to the opnsense system, and will just the Metronet/static IP line connected, I could ping IP addresses from the WAN, but nothing in my LAN could ping outside of the LAN.

The solution for me was to create a new gateway in opnsense specifically for the static IP address instead of editing the existing DHCP gateway and changing it to a static.  Once I did that and changed the interface to use the new gateway rule instead of the edited one, it worked just fine.
#25
General Discussion / Re: Port Forwarding issue insi...
Last post by Land_Strider - Today at 04:20:23 AM
Quote from: viragomann on December 09, 2025, 08:07:43 PMAs the live view shows, the traffic is passed through OPNsense.
To get sure, you can run a packet capture on the LAN. Presumably the packets from the PC are going out there, but nothing is coming back.
If so, it's not on OPNsense.

You can try to hairping the restive traffic on the LAN interface and see if it helps.

I tried to capture the packet traffic from both ends via Wireshark and OPNsense interface, but I'm not sure how to make sense of it at the moment.
Looks like SNAT/DNAT works, but there is some other problem causing no response to be received by PC for the packets it keeps re-sending. The ISP router could be dropping the packets, but as far as the NAT goes the packets should look requested ones, right?

Attaching the filtered pcap files.
#26
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by dmurphy - Today at 03:01:08 AM
Had a similar issue today.

[759718] swap_pager: out of swap space
[759718] swp_pager_getswapspace(7): failed
[760739] pid 88184 (dnsmasq), jid 0, uid 65534, was killed: failed to reclaim memory

I restarted dnsmasq - right now ooks like it's currently consuming > 1G memory.  Surprised it's that large.  Any idea if that footprint for dnsmasq is normal? I just switched over from ISC dhcp yesterday so don't need to induce instability ...

last pid: 63926;  load averages:  0.62,  0.46,  0.40                                            up 9+01:02:06  21:00:08
95 processes:  2 running, 93 sleeping
CPU: 16.7% user,  0.0% nice,  1.0% system,  0.1% interrupt, 82.2% idle
Mem: 453M Active, 1960M Inact, 10M Laundry, 2537M Wired, 104K Buf, 2895M Free
ARC: 1252M Total, 308M MFU, 847M MRU, 26M Anon, 7437K Header, 63M Other
     1077M Compressed, 3074M Uncompressed, 2.86:1 Ratio
Swap: 8192M Total, 338M Used, 7854M Free, 4% Inuse

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
 2049 nobody        1  20    0  1194M  1022M select   3   4:23   0.01% dnsmasq
25353 root          5  20    0   789M   535M kqread   0  55:23   0.00% python3.11
20699 unbound       4  20    0   754M   405M kqread   0  16:43   0.04% unbound
32880 root          1  20    0    89M    40M nanslp   2  95:37   0.75% php
38754 root          1  21    0    67M    39M accept   3   0:00   0.00% php-cgi
38980 root          1  24    0    66M    38M accept   1   0:01   0.00% php-cgi
39173 root          1  20    0    63M    36M accept   2   0:01   0.00% php-cgi
34530 root          1  20    0   132M    36M accept   3   0:49   0.00% python3.11
94077 root         12  20    0  1322M    35M uwait    2   1:49   0.00% tailscaled
85867 root          1  20    0    66M    35M accept   1   0:00   0.00% php-cgi
40453 root          1  47    0    60M    34M CPU2     2 484:29  64.90% python3.11
85405 root          1  20    0    61M    33M accept   0   0:00   0.00% php-cgi
85656 root          1  20    0    57M    30M accept   3   0:00   0.00% php-cgi
39215 root          1  66    0    46M    29M nanslp   1   0:00   0.00% python3.11
85460 root          1  26    0    57M    29M accept   2   0:00   0.00% php-cgi
68339 root          1  26    0    70M    28M accept   3   0:01   0.00% php-cgi
69129 root          1  20    0    66M    25M accept   3   0:01   0.00% php-cgi
39250 root          1  29    0    53M    24M accept   3   0:00   0.00% php-cgi
39218 root          1  28    0    53M    24M accept   1   0:00   0.00% php-cgi
38386 root          1  31    0    53M    24M wait     3   0:00   0.00% php-cgi
16645 root          1  20    0    66M    24M accept   2   0:01   0.00% php-cgi
#27
German - Deutsch / Re: Umbau Netzwerk/Rules
Last post by meyergru - Today at 02:24:54 AM
Das ist ja wenigstens Traffic, der die OpnSense durchläuft. Kann schon mal passieren, dass Pakete im falschen Zustand ankommen und geblockt werden, z.B. wenn TCP-Verbindungen stale werden.
#28
General Discussion / Re: Micron exits consumer mark...
Last post by qarkhs - Today at 01:07:30 AM
Quote from: OPNenthu on December 09, 2025, 07:40:05 PMThey're recouping costs (for now) with layoffs.

True with the emphasis on "for now". It will only work up to a point if they continue to burn mountains of cash. Generative AI is fabulously expensive and unreliable tech. It's hard to see how they make a profit given that their costs are growing faster than their ability to generate revenues.
#29
Actually, I think I solved it.

I don't know how this happened, but I looked at my outbound NAT rules under Firewall -> NAT -> Outbound.

There was only one rule here, from source any to destination *.

The issue?  It was assigned to the "WireGuard Group".   Presumably this worked in the past because I only had the one WireGuard interface,  but once I added a second wireguard interface, this group now automatically included all WireGuard interfaces, so this outbound NAT rule now applied to all wireguard interfaces.

The second wireguard interface I was using to connect my phone to my LAN does not need (and probably should not have) outbound NAT rules, so I changed the interface for this rule from the WireGuard Group to applying only to the network associated with WG0 and now I can enable WG1 without it hosing wg0.

I hope this helps someone else.  I have wasted hours troubleshooting this.

I'm not sure how it happened, if it was some weird default setting, or if I accidentally created it through some sort of typo during my initial wireguard setup, but at least now it is resolved.
#30
General Discussion / Re: Micron exits consumer mark...
Last post by qarkhs - Today at 12:55:57 AM
Quote from: OPNenthu on December 09, 2025, 07:36:37 PMThe data centers are not employing people, least of all locals.  That's a lie.  They're bringing in experts to set them up and then they run autonomously more or less.

They need a few people to go around replacing all the rapidly failing GPU parts! ;-)