"Recent posts
#21
General Discussion / Configuration Converter from S...
Last post by maga - Today at 11:15:47 AMThere are thousands of Sophos UTM installations expiring in June 2026.
Are there plans for a configuration converter to facilitate migration to OPNsense?
This would be a big opportunity to boost OPNsense adoption, even if just the basic settings could be translated.
The original SG UTM hardware is capable of running OPNsense, so at least interface naming would be consistent.
If you are interested in such a converter too (or even working on it), then please let the forum know.
Are there plans for a configuration converter to facilitate migration to OPNsense?
This would be a big opportunity to boost OPNsense adoption, even if just the basic settings could be translated.
The original SG UTM hardware is capable of running OPNsense, so at least interface naming would be consistent.
If you are interested in such a converter too (or even working on it), then please let the forum know.
#22
German - Deutsch / Re: NUT Plugin noch verfügbar?
Last post by no_Legend - Today at 10:50:35 AMDanke habs gefunden!
#23
Virtual private networks / OPNsense25.7 - Virtual Box Mac...
Last post by User369 - Today at 10:46:26 AMHello everyone, I'm setting up a local lab environment using VirtualBox on an Arch Linux host.
The virtual machine has been configured with the following specifications:
General:
Name:
FW-OPNsense-25.7
Operating System: FreeBSD (64-bit)
System:
Base Memory:
4096 MB
Processors:
2
Boot Order:
Floppy, Optical, Hard Disk
Acceleration: Nested Paging
Display:
Video Memory:
Scale-factor:
Graphics Controller:
Remote Desktop Server:
Recording:
Storage:
Controller: IDE
16 MB
2.00
VMSVGA
Disabled
Disabled
IDE Primary Device 0: FW-OPNsense-25.7.vdi (Normal, 50.00 GB)
Audio:
Host Driver: Default
Controller:
ICH AC97
Network:
Adapter 1: Intel PRO/1000 MT Desktop (NAT Network, 'NatNetwork')
Adapter 2: Intel PRO/1000 MT Desktop (NAT Network, 'Management')
Adapter 3: Intel PRO/1000 MT Desktop (NAT Network, 'Clients')
USB:
USB Controller: OHCI, EHCI Device Filters: 0 (0 active)
Shared folders:
None
Description:
None
The networks are:
WAN -> NatNetwork
LAN -> Management
OPT1 -> Clients
For some reason the network i have connected to adapter 3 never works,
I tried deleting and creating fresh networks with different IP ranges several times and it never works,
It seems like what ever the network that is configured as OPT1 never works [WAN & LAN networks work fine].
When i boot up a machine in the clients network i get an APIPA IP address.
The OPNsense web GUI confirmed that DHCP was enabled and the IP ranges were correctly configured.
What's the source of this problem, and what is the recommended fix?
The virtual machine has been configured with the following specifications:
General:
Name:
FW-OPNsense-25.7
Operating System: FreeBSD (64-bit)
System:
Base Memory:
4096 MB
Processors:
2
Boot Order:
Floppy, Optical, Hard Disk
Acceleration: Nested Paging
Display:
Video Memory:
Scale-factor:
Graphics Controller:
Remote Desktop Server:
Recording:
Storage:
Controller: IDE
16 MB
2.00
VMSVGA
Disabled
Disabled
IDE Primary Device 0: FW-OPNsense-25.7.vdi (Normal, 50.00 GB)
Audio:
Host Driver: Default
Controller:
ICH AC97
Network:
Adapter 1: Intel PRO/1000 MT Desktop (NAT Network, 'NatNetwork')
Adapter 2: Intel PRO/1000 MT Desktop (NAT Network, 'Management')
Adapter 3: Intel PRO/1000 MT Desktop (NAT Network, 'Clients')
USB:
USB Controller: OHCI, EHCI Device Filters: 0 (0 active)
Shared folders:
None
Description:
None
The networks are:
WAN -> NatNetwork
LAN -> Management
OPT1 -> Clients
For some reason the network i have connected to adapter 3 never works,
I tried deleting and creating fresh networks with different IP ranges several times and it never works,
It seems like what ever the network that is configured as OPT1 never works [WAN & LAN networks work fine].
When i boot up a machine in the clients network i get an APIPA IP address.
The OPNsense web GUI confirmed that DHCP was enabled and the IP ranges were correctly configured.
What's the source of this problem, and what is the recommended fix?
#24
General Discussion / Re: OpnSense SFP+ connection t...
Last post by meyergru - Today at 10:25:34 AMAt this point, I am inclined to believe it may be a limitation of the SFP slots. Intel did some trickery with those w/r to detection of some branded modules (I thin I remember that there are driver settings for that). Also, it might be a firmware thing.
The reason is that the limit occurs at 1 Gbit/s, which points to a hardware limit, not one that is induced by software or CPU capacity.
The reason is that the limit occurs at 1 Gbit/s, which points to a hardware limit, not one that is induced by software or CPU capacity.
#25
Virtual private networks / Re: Wireguard: 2FA Login Sugge...
Last post by Monviech (Cedrik) - Today at 10:16:14 AMWhy not use the battle tested OpenVPN server with MFA already existing in OPNsense core?
#26
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by Bubber - Today at 10:14:45 AMVielleicht noch eine Verständnisfrage:
Wenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
Wenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
#27
General Discussion / Re: [Help Needed] Block outgoi...
Last post by meyergru - Today at 10:11:23 AMI am all for blocking inbound ICMP, but, as I said: By using your rationale you could fordbid any kind of outbound traffic, because "there are attack techniques" that use that kind.
Once attackers are able to craft ICMP packets for exfiltration from inside your network, it is already too late, because they obviously have infiltrated your network already.
Which means: You can stop exfiltration only by blocking any outbound traffic, because any kind can be used to transport data. On the other hand, this obviously also refers to inbound traffic, because any connection can be used both ways.
A firewall should keep attackers outside in the first place. Once they are in, you cannot do much with a firewall, unless you are willing to sacrifice basic functionality or create the equivalent of a "sneakernet" (i.e. have no internet access at all).
Basically, you need endpoint security to evade exfiltration or in the case of IoT or other untrusted devices, confine them to a VLAN where they cannot exfiltrate anything worthwhile.
Everyone is free to apply any measure to reduce attack surface at any level. I just wanted to point out that the leverage in this case is fairly limited, so your efforts may be put to better use.
Once attackers are able to craft ICMP packets for exfiltration from inside your network, it is already too late, because they obviously have infiltrated your network already.
Which means: You can stop exfiltration only by blocking any outbound traffic, because any kind can be used to transport data. On the other hand, this obviously also refers to inbound traffic, because any connection can be used both ways.
A firewall should keep attackers outside in the first place. Once they are in, you cannot do much with a firewall, unless you are willing to sacrifice basic functionality or create the equivalent of a "sneakernet" (i.e. have no internet access at all).
Basically, you need endpoint security to evade exfiltration or in the case of IoT or other untrusted devices, confine them to a VLAN where they cannot exfiltrate anything worthwhile.
Everyone is free to apply any measure to reduce attack surface at any level. I just wanted to point out that the leverage in this case is fairly limited, so your efforts may be put to better use.
#28
German - Deutsch / Re: NUT Plugin noch verfügbar?
Last post by Patrick M. Hausen - Today at 09:54:17 AMRechts oben "Show community plugins" ...
#29
German - Deutsch / NUT Plugin noch verfügbar?
Last post by no_Legend - Today at 09:25:24 AMHallo Zusammen,
kurze Frage, gibt es das NUT Plugin noch?
Ich finde es bei mir, warum auch immer, nicht.
Danke und Grüße Robert
kurze Frage, gibt es das NUT Plugin noch?
Ich finde es bei mir, warum auch immer, nicht.
Danke und Grüße Robert
#30
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by Bubber - Today at 09:03:23 AMMoin,
danke für die schnellen und guten Antworten!
Ich habe es nun hinbekommen:
- NAT-Regel in den Ports (von 23-50000) eingeschränkt. (Auf dem Host dahinter laufen mehrere Dienste die zum Teil viele Ports benötigen. Daher wäre mir das zu fummelig für jeden Port einzeln eine NAT-Regel anzulegen.)
- Port 22 kann ich nun sauber auf dem WAN-Interface blockieren
- Wireguard kann ich auf Port 51820 sauber behandeln
Danke für die Hinweise! Die zwei wichtigsten waren: Warum alle Ports weiterleiten?! Und NAT-Regeln greifen vor den FW-Regeln.
Damit ändert sich für die FW-Regeln das Interface/Subnet auf dem sie wirken müssen.
Nochmal danke für die schnelle und tolle Hilfe!
BG
bubber
danke für die schnellen und guten Antworten!
Ich habe es nun hinbekommen:
- NAT-Regel in den Ports (von 23-50000) eingeschränkt. (Auf dem Host dahinter laufen mehrere Dienste die zum Teil viele Ports benötigen. Daher wäre mir das zu fummelig für jeden Port einzeln eine NAT-Regel anzulegen.)
- Port 22 kann ich nun sauber auf dem WAN-Interface blockieren
- Wireguard kann ich auf Port 51820 sauber behandeln
Danke für die Hinweise! Die zwei wichtigsten waren: Warum alle Ports weiterleiten?! Und NAT-Regeln greifen vor den FW-Regeln.
Damit ändert sich für die FW-Regeln das Interface/Subnet auf dem sie wirken müssen.
Nochmal danke für die schnelle und tolle Hilfe!
BG
bubber
