"Recent posts
#21
Hardware and Performance / Re: which coreboot payload
Last post by Maurice - December 29, 2025, 10:28:27 PMNot sure what the benefits of legacy BIOS would be, but maybe I'm not seeing the full picture.
#22
Zenarmor (Sensei) / CVE-2025-14847 vulnerability M...
Last post by PencilHCV - December 29, 2025, 10:22:04 PMhi!
Is Mongo Database vulnerable to CVE-2025-14847?
best regards,
Hugo C.V.
Is Mongo Database vulnerable to CVE-2025-14847?
best regards,
Hugo C.V.
#23
Hardware and Performance / Re: which coreboot payload
Last post by senser - December 29, 2025, 10:21:45 PMSo we can chose either edk2 OR seabios payload and we should be re-booting fine?
So what should I choose? :)
So what should I choose? :)
#24
25.7, 25.10 Series / Pointing to adguard DNS server
Last post by CursedGravity - December 29, 2025, 09:49:28 PMI am running a adguard vm. I am trying to point my dhcp dns config to the adguard server ip. When I check my dns server from my dhcp config on my client, it's pointing to my opnsense router. I try to visit a website, like hp.com, and adguard does not show that the domain was queried for. I do a nslookup hp.com <adguard-ip>, and now hp.com shows up in the query log in adguard.
Currently, I'm pointing to the adguard server under unbound dns -> query forwarding. I can confirm adguard is listening on port 53.
Currently, I'm pointing to the adguard server under unbound dns -> query forwarding. I can confirm adguard is listening on port 53.
#25
25.7, 25.10 Series / Re: Dashboard/WebGUI slows, ha...
Last post by lpe397 - December 29, 2025, 09:41:03 PMThis is still an issue with the latest build. I'm just seeing this so I'll do some investigating however I can say that this is cross-platform as Firefox (140.6.0esr) for Linux (Debian 12) has the same issues. I run a pretty "busy" dashboard for five different OPNsense firewalls all running the latest open source version (OPNsense 25.7.10-amd64 : FreeBSD 14.3-RELEASE-p7 : OpenSSL 3.0.18) with only one of them crashing. That instance has only one dashboard widget different than the others, and that is the Certificates widget. Absolutely not sure if any of this will help, but if someone has something to try I can easily be a lab rat.
#26
Hardware and Performance / Re: which coreboot payload
Last post by Maurice - December 29, 2025, 09:36:16 PMOPNsense GPT installations are hybrid. They have a GPT + ESP ("efi" partition) as well as an MBR + traditional second-stage boot loader ("freebsd-boot" partition). So the same disk can be booted using either UEFI or legacy BIOS.
Cheers
Maurice
Cheers
Maurice
#27
Zenarmor (Sensei) / Re: Provide firm date on multi...
Last post by dirtyfreebooter - December 29, 2025, 09:15:12 PMit is quite disappointing. have been running a unifi gateway fiber (UXG) for 3 weeks now, the one without the network controller built-in. using the cybersecure subscription, which is $99 a year, so similar cost to zenarmor. unifi gateway basically uses suricata + dns filtering using cloudflare.
i have no problem getting 5gbps+ in my lab testing (sfp+ wan and lan) with all the suricata categories on + geo filtering + cloudflare content filtering, using this $279 unit. connecting it to my 1gbps fiber ISP, idles at 7w and uses at most 9w when using the full 1 gbps connection.
zenarmor's categories and filtering is by far superior. especially since it filters at the firewall / packet level. unifi's relies on dns for content filtering, so if you wanted to block traffic at the firewall, you need to do old school firewall rules, which have different options than the cloudflare categories. which are also very broad and not really tunable.
unifi's gatetway software has definitely improved greatly over the past 2 years. 2 years ago unifi gateway software was so unstable and unuseable.
but unifi is certainly not far behind and then zenarmor just does the most annoying things to its customers because it can't figure out how restrict businesses from using home licenses??? other than making it a bad experience for home licenses. lol.
my kids are getting to the age now that extreme content filtering is not really needed, so for me the zenarmor advantage is less and less attractive. i plan on sticking with the unifi unit for a couple of months to fully give it a shot. hopefully go through a few software updates as well. see if that is a disaster or not.
i have no problem getting 5gbps+ in my lab testing (sfp+ wan and lan) with all the suricata categories on + geo filtering + cloudflare content filtering, using this $279 unit. connecting it to my 1gbps fiber ISP, idles at 7w and uses at most 9w when using the full 1 gbps connection.
zenarmor's categories and filtering is by far superior. especially since it filters at the firewall / packet level. unifi's relies on dns for content filtering, so if you wanted to block traffic at the firewall, you need to do old school firewall rules, which have different options than the cloudflare categories. which are also very broad and not really tunable.
unifi's gatetway software has definitely improved greatly over the past 2 years. 2 years ago unifi gateway software was so unstable and unuseable.
Quoteis opnsense a better firewall/gateway then unifi?yes, without a doubt
Quoteis zenarmor better than the cybersecure for content filtering?yes, without a doubt
but unifi is certainly not far behind and then zenarmor just does the most annoying things to its customers because it can't figure out how restrict businesses from using home licenses??? other than making it a bad experience for home licenses. lol.
my kids are getting to the age now that extreme content filtering is not really needed, so for me the zenarmor advantage is less and less attractive. i plan on sticking with the unifi unit for a couple of months to fully give it a shot. hopefully go through a few software updates as well. see if that is a disaster or not.
#28
25.7, 25.10 Series / Re: DNS failures after upgrade...
Last post by pseudonym3k - December 29, 2025, 09:01:34 PMQuote from: tokade on December 29, 2025, 07:57:48 PMSince the 25.7 series, I have also noticed
Quote from: ESClaus76 on December 29, 2025, 06:05:58 PMMy setup was simple as it could get.
I'm the OP, I'm still working on my issues, possibly related to both of yours, possibly just coincidence that I'm running smoothly right now, but I'll give you what I've got and let you try it out if you're willing.
I'm not saying this is best way to go, only that apparently it's working for me thus far and maybe you can get a stable setup too before moving on with more configuration.
1. If it isn't already, disable Unbound. Put your DNS server IP's in System -> Settings -> General.
2. I was having trouble with Health reports, I think something got corrupted in the upgrade. I went to Reporting -> Settings and reset/repaired everything, then rebooted. I had to do it a couple more times over a few weeks but reporting is working OK for now.
3. I've just moved from ISC to DNSmasq. I had DNSmasq in prior routers for years and liked it. This one is working for me too.
- The first day was a little rocky as leases expired and got picked up by DNSMasq, but settled after that.
- Don't enable DNSMasq until everything is ready. Then, disable ISC and enable DNSMasq. Reboot and give it a day to settle out.
- Leave the listen port at 53 (because unbound is disabled)
- I followed this guide: https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/ except for leaving the listen port at 53 and skipping all the unbound info. I also put the lease time to 0 on all my reserved IPs. I don't know if that's redundant but it is what I've done on all past DNSMasq routers I've had.
NOTE: In ISC I had a small window of IPs available for dynamic IPs, and all the reserved IPs were defined outside of that range.
In my past DNSMasq routers I always gave the full LAN range for DHCP and reserved IPs were scattered throughout - I did the same here. The above guide also mentions this. I honestly don't know if that's required, but it's what I've always done.
4. I found out I was getting dpinger problems with gateway monitoring. I think this was causing me some instability. Probably nothing to do with DNS issues exactly, but my internet kept going unstable and only pulling the power cable would fix it. I could probably just uncheck gateway monitoring (and may still try that).
But for now I changed the IP from what was already populated, to a hop in a tracert to any public IP. I chose the IP from the fourth hop as it responded quickly. It's still within my ISP. I am not sure how the one in OPNsense was populated, I don't recall putting anything there when I first set up and don't have any notes about it. Maybe I did it and just don't remember. In any case, using the fourth hop IP on the tracert is working well and I don't have any dpinger entries anymore.
Check your logs at System -> Gateways -> Log file and see if you have any dpinger warnings or errors expecially "exit on signal 15" which I think means it was killed and restarted. (?) If you have warnings or errors, go to System -> Gateways -> Configuration and enter that fourth hop IP for monitoring. Or just try a reliable one like 1.1.1.1 or 8.8.8.8, something for your test that has a consistent fast response and solid uptime.
If you are willing to try the above and if your internet becomes stable after a day or two (and maybe a couple of reboots at intervals), then we might be able help shed some light on why the most basic near-default installs seem to have trouble with DNS.
Let us know?
Kind regards.
#29
25.7, 25.10 Series / Re: ice driver (ddp) / latest ...
Last post by pfry - December 29, 2025, 08:46:56 PMQuote from: bugacha on December 29, 2025, 07:50:02 PMNah, the driver (I guess by driver I mean DDP which I care about) wouldn't work if it doesn't match the firmware. I learned it hard way [...]
Huh! I have to say, I only use the E810 under FreeBSD (not OPNsense); my soon-to-be-wiped machine has a slightly older driver (1.43.2-k) and I use the default DDP (loader.conf: if_ice_load, ice_ddp_load = yes). (I don't believe I'll update from NVM 4.90 to 4.91 as there don't appear to be any updates relevant to my installation.)
#30
Hardware and Performance / which coreboot payload
Last post by senser - December 29, 2025, 08:33:52 PMI want to switch from AMI Bios to coreboot on my Topton N150 box, which is currently running opnsense 25.7 (barebone).
So I am configuring coreboot (v25.12) for my mainboard (Topton ADL: TWL (X2E_N150)) on a fedora box and I am currently stuck at figuring out what payload I should choose.
This is what gpart sais about my nvme disk containing opnsense:
AFAIK, I can not use seabios payload as it requires an MBR partition...or does it? Do I have one? Maybe it is hidden?
Sorry if this is a stupid question - but when I flash this coreboot.rom I'd REALLY like my router to boot up again... :)
So I am configuring coreboot (v25.12) for my mainboard (Topton ADL: TWL (X2E_N150)) on a fedora box and I am currently stuck at figuring out what payload I should choose.
This is what gpart sais about my nvme disk containing opnsense:
Code Select
$ gpart show
=> 40 488397088 nda0 GPT (233G)
40 532480 1 efi (260M)
532520 1024 2 freebsd-boot (512K)
533544 984 - free - (492K)
534528 16777216 3 freebsd-swap (8.0G)
17311744 471085056 4 freebsd-zfs (225G)
488396800 328 - free - (164K)
AFAIK, I can not use seabios payload as it requires an MBR partition...or does it? Do I have one? Maybe it is hidden?
Sorry if this is a stupid question - but when I flash this coreboot.rom I'd REALLY like my router to boot up again... :)
