Recent posts

#21
High availability / CARP Backup Interface holds vi...
Last post by mattes3344 - Today at 08:30:18 AM
Hello,

I have a problem with using CARP in unicast mode. When configuring CARP virual IPs with unicast communication, both the master and the backup device are holding the virtual IP.
My setup are two Opnsense 25.7.9_7 as VMs on different Hypervisors. Because of problems getting multicasts thru the virtual switches I tested with unicasts. But this results in the described problem.

This is how it looks on the VMs:

root@fwint01-a:~ # ifconfig vtnet0
vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: SRV (opt2)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:28:9d:5a
inet 10.5.200.2 netmask 0xffffff00 broadcast 10.5.200.255
inet 10.5.200.1 netmask 0xffffffff broadcast 10.5.200.1 vhid 10
inet6 fd01:1:1:c8::2 prefixlen 64
inet6 fe80::be24:11ff:fe28:9d5a%vtnet0 prefixlen 64 scopeid 0x1
carp: MASTER vhid 10 advbase 1 advskew 0
      peer 10.5.200.3 peer6 ff02::12
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>


root@fwint01-b:~ # ifconfig vtnet0
vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: SRV (opt2)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:54:9e:5a
inet 10.5.200.3 netmask 0xffffff00 broadcast 10.5.200.255
inet 10.5.200.1 netmask 0xffffff00 broadcast 10.5.200.255 vhid 10
inet6 fd01:1:1:c8::3 prefixlen 64
inet6 fe80::be24:11ff:fe54:9e5a%vtnet0 prefixlen 64 scopeid 0x1
carp: BACKUP vhid 10 advbase 1 advskew 50
      peer 10.5.200.2 peer6 ff02::12
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>


So the fwint01-b is in Backup mode, but holds the virtual IP. This results in DUPs when sending pings to the connected network.
tcpdump shows, that CARP packets are received on the Backup node.

root@fwint01-b:~ # tcpdump -n -i vtnet0 -t vrrp -T carp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731772
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731773
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731774

How can this be? Did I something wrong?

Thanks in advance for your help

Regards
#22
If you bind AGH to 0.0.0.0 instead of a specific interface, it will probably start.
#23
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by neek - Today at 06:31:00 AM
By the time I'm able to log in to the box, there's nothing holding open port 53, for tcp or udp. I'm quite convinced this has to do with the interface not being up when adguardhome starts.

Quote from: BrandyWine on Today at 05:14:22 AMBefore doing anything manually, what does "netstat -na |grep 53" show?

Is there a way to say that adguardhome service must start after openvpn has completed?
#24
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by neek - Today at 06:23:46 AM
Unfortunately I need to manually specify interfaces, since I have some vlans where I cannot use AdGuard. I think in your case, though, it would bind, but then silently fail for UDP queries on your openldap network. Or, at least, that's what it should do based on the errors I saw.

Quote from: cookiemonster on December 11, 2025, 11:08:51 PMseems that way. In my setup I don't have this problem, probably because I don't bother with selecting interfaces for AdG. That is where the firewall rules come into their own. So my AdGuard has in its config
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

#25
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by BrandyWine - Today at 05:14:22 AM
Before doing anything manually, what does "netstat -na |grep 53" show?
#26
Quote from: OPNenthu on December 08, 2025, 09:49:35 AMJust came across this: https://www.intel.com/content/www/us/en/support/articles/000005593/ethernet-products.html

I wonder if Windows clients need this "IntelĀ® PROSet" tool to expose these functions in Device Manager and that's maybe what the reference was in regard to.
PROset no longer available for win10 after package 20.120
Since win10 is basically over, Intel not interested in keeping PROset for it. Makes sense.
PROset though is basically the driver for winOS (gui+driver). I wonder how then you handle the vlan stuff from say Linux.
https://www.intel.com/content/www/us/en/support/articles/000026008/wireless.html
#27
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by Q-Feeds - December 11, 2025, 11:15:19 PM
Hi Mokaz and Dirtyfreebooter,

Glad everything works as expected! And thanks a lot for your feedback, really appreciated. Please find our answers below.

1.
Your guess is correct, the Community edition only provides open-source intelligence. Our threat lookup (Plus and Premium licenses) feature gives more insight into where items come from. We're not planning to make this available for the Community edition.

2.
As Cedrik already mentioned. :)

3.
We went with this approach because several users asked for a specific category during our beta testing. I guess everyone has their own preferences. :) Our personal view is that it's clearer to keep a distinction between Security and Services, otherwise the Services menu becomes cluttered with too many different functions. That said, I do agree that adding other security related services (including Zenarmor) to the menu would help keep things clean and consistent. I'll add it to our next meeting agenda to have a look at it.

Thanks again!

Kind regards,

David
#28
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by cookiemonster - December 11, 2025, 11:08:51 PM
seems that way. In my setup I don't have this problem, probably because I don't bother with selecting interfaces for AdG. That is where the firewall rules come into their own. So my AdGuard has in its config
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
#29
Q-Feeds (Threat intelligence) / Re: [Feature Request] DNSBL fo...
Last post by Q-Feeds - December 11, 2025, 10:48:20 PM
Good news, we expect to launch support for DNSCrypt-proxy in the next release (Plugin v1.4).

#30
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by viragomann - December 11, 2025, 10:47:38 PM
What? Is the pppoe on vtnet0 or vtnet1?

Can you post the Proxmox network and the switch configuration?