"Recent posts
#21
German - Deutsch / Re: GeoIP (Maxmind) nicht mehr...
Last post by viragomann - December 09, 2025, 10:57:56 PMHallo,
Der letzte Punkt in der Anleitung.
Wobei kommt diese Meldung?.
Quote from: kosta on December 09, 2025, 09:01:56 PM"In order to use GeoIP, you need to configure a source in the GeoIP settings tab"hast du das auch gemacht?
Der letzte Punkt in der Anleitung.
Wobei kommt diese Meldung?.
#22
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by crazywolf13 - December 09, 2025, 10:56:33 PMYeah seems like this is somewhat out of my league and power, but I'm happy to provide/do any testing for this to be resolved, as this is kind of the online major pain-point I currently have in my homelab.
On a side note, on this thread, I'm also helping to troubleshoot Forward Auth in zoraxy when using authentik: https://github.com/tobychui/zoraxy/issues/895#issuecomment-3621381598
Here there is a image of zoraxy that logs far more verbose data, maybe this is in any way helpful?
On a side note, on this thread, I'm also helping to troubleshoot Forward Auth in zoraxy when using authentik: https://github.com/tobychui/zoraxy/issues/895#issuecomment-3621381598
Here there is a image of zoraxy that logs far more verbose data, maybe this is in any way helpful?
#23
German - Deutsch / Re: Probleme mit DNS + VLAN + ...
Last post by mfreudenberg - December 09, 2025, 10:55:05 PMHi,
ich weiß nicht, wo man in OPNSense Packet Capture machen kann. Ich hab mal einfach meinen Wireshark angeworfen, auf die dst-adresse gefiltert und mal einen curl auf heise.de gemacht.
Ich sehe ganz viele TCP-Retransmissions. Ich vermute, dass die Rückpakete irgendwie nicht durchkommen.
ich weiß nicht, wo man in OPNSense Packet Capture machen kann. Ich hab mal einfach meinen Wireshark angeworfen, auf die dst-adresse gefiltert und mal einen curl auf heise.de gemacht.
Ich sehe ganz viele TCP-Retransmissions. Ich vermute, dass die Rückpakete irgendwie nicht durchkommen.
#24
General Discussion / I spent a couple of days tryin...
Last post by 7queue - December 09, 2025, 10:25:38 PMWhat I tried as a backup recovery plan is to use a drive that's the same size as the one in the firewall in a usb adapter and have zfs mirror the install partion onto the usb drive.
The usb drive has a clean install of OPNsense with zfs and that's it.
Plug the usb drive into the firewall and do the following
# gpart show
=> 40 2000409184 ada0 GPT (954G)
40 532480 1 efi (260M)
532520 1024 2 freebsd-boot (512K)
533544 984 - free - (492K)
534528 16777216 3 freebsd-swap (8.0G)
17311744 1983096832 4 freebsd-zfs (946G)
2000408576 648 - free - (324K)
=> 40 2000409184 da0 GPT (954G)
40 532480 1 efi (260M)
532520 1024 2 freebsd-boot (512K)
533544 984 - free - (492K)
534528 16777216 3 freebsd-swap (8.0G)
17311744 1983096832 4 freebsd-zfs (946G)
2000408576 648 - free - (324K)
The usb drive is da0 and partition 4 is the clean install of OPNsense.
# gpart delete -i 4 da0
# gpart add -i 4 -a 1m -t freebsd-zfs da0
Then attach the new partition. (had to use -f since it complains that /dev/da0p4 is part of potentially active pool 'zroot' from the clean install,
if the usb drive is from a prior attach then issue # zpool labelclear -f /dev/da0p4)
# zpool attach -f zroot ada0p4 da0p4
Let it resilver then shutdown and unplug the usb drive and power the firewall back up and detach the now missing usb drive.
# zpool detach zroot da0p4
After this verify the usb drive works by booting off of the usb drive in a test system. If you don't have a test system you will need to temporaraly disconnect the drive in the firewall in order to boot off the usb drive.
To clean up the cloned drive in the usb adapter.
# zpool detach zroot ada0p4
Login through the web interface and verify everything looks good.
If the drive in the firewall goes I can boot off the usb drive untill I get around to replacing the failed drive.
If the hardware goes I have a drive in the usb adapter I can use in a new firewall to get back up and running.
...and this works for me, YMMV.
The usb drive has a clean install of OPNsense with zfs and that's it.
Plug the usb drive into the firewall and do the following
# gpart show
=> 40 2000409184 ada0 GPT (954G)
40 532480 1 efi (260M)
532520 1024 2 freebsd-boot (512K)
533544 984 - free - (492K)
534528 16777216 3 freebsd-swap (8.0G)
17311744 1983096832 4 freebsd-zfs (946G)
2000408576 648 - free - (324K)
=> 40 2000409184 da0 GPT (954G)
40 532480 1 efi (260M)
532520 1024 2 freebsd-boot (512K)
533544 984 - free - (492K)
534528 16777216 3 freebsd-swap (8.0G)
17311744 1983096832 4 freebsd-zfs (946G)
2000408576 648 - free - (324K)
The usb drive is da0 and partition 4 is the clean install of OPNsense.
# gpart delete -i 4 da0
# gpart add -i 4 -a 1m -t freebsd-zfs da0
Then attach the new partition. (had to use -f since it complains that /dev/da0p4 is part of potentially active pool 'zroot' from the clean install,
if the usb drive is from a prior attach then issue # zpool labelclear -f /dev/da0p4)
# zpool attach -f zroot ada0p4 da0p4
Let it resilver then shutdown and unplug the usb drive and power the firewall back up and detach the now missing usb drive.
# zpool detach zroot da0p4
After this verify the usb drive works by booting off of the usb drive in a test system. If you don't have a test system you will need to temporaraly disconnect the drive in the firewall in order to boot off the usb drive.
To clean up the cloned drive in the usb adapter.
# zpool detach zroot ada0p4
Login through the web interface and verify everything looks good.
If the drive in the firewall goes I can boot off the usb drive untill I get around to replacing the failed drive.
If the hardware goes I have a drive in the usb adapter I can use in a new firewall to get back up and running.
...and this works for me, YMMV.
#25
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by meyergru - December 09, 2025, 10:16:55 PMYup, as I said, the moment you connect via HTTP/2 to Zoraxy with OpnSense as the backend, it does not work any more.
There must be something that is special on the backend when that happens which OpnSense does not like. However, I have found no way of setting or deleting HTTP headers on the frontend not could I find a setting within Zoraxy to change it. I used many combinations of advanced settings, like deleting headers that pertain to HTTP/2, to no avail.
The only approach I can think of is to dump all request data on the HTTPS backend - but that is not easy, since you cannot easily use tcpdump for that, you will need to have the web server (or Zoraxy as the client) do it. Zoraxy itself is relatively fresh - there is a bug open for this problem and there are no means to log requests, either (that is a feature request).
There must be something that is special on the backend when that happens which OpnSense does not like. However, I have found no way of setting or deleting HTTP headers on the frontend not could I find a setting within Zoraxy to change it. I used many combinations of advanced settings, like deleting headers that pertain to HTTP/2, to no avail.
The only approach I can think of is to dump all request data on the HTTPS backend - but that is not easy, since you cannot easily use tcpdump for that, you will need to have the web server (or Zoraxy as the client) do it. Zoraxy itself is relatively fresh - there is a bug open for this problem and there are no means to log requests, either (that is a feature request).
#26
Virtual private networks / Re: Routing OpenVPN Traffic th...
Last post by cidimir - December 09, 2025, 10:06:51 PMIt did, but what it didn't have was a SPD for the second child. For whatever reason, OPNSense only generated a source/dest pair for the first child, so I had to manually add a new pair for the second child and then associate them together with a reqid. It's functioning now.
#27
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by crazywolf13 - December 09, 2025, 10:06:46 PMI can't seem to get the debug lighttpd working.
I updated the following:
/usr/local/etc/lighttpd/conf.d/debug.con
-> uncommented:
In the file: /usr/local/etc/lighttpd/conf.d/access_log.conf
I changed syslog-level from 6 to 7
I uncommented this line:
and commented out:
After that I restarted lighttpd:
I also rebooted the node.
Though after doing all that, I could not see any additional logfiles being written to /var/log/lighttpd/ and the default one still only contains the informational data:
I also checked dmesg, but that did also not contain the debug logs of lighttpd, maybe this is something trivial that I'm missing with my limited FreeBSD knowledge.
Maybe someone knowns what I'm doing wrong?
I also did some further tests with curl on http2/ http1.1 if this sparks any idea for someone reading this?
Here directly via IP using http2
Here using zoraxy with http2
Here directly via IP using http1.1
Here using http1.1 and directly via IP:
I updated the following:
/usr/local/etc/lighttpd/conf.d/debug.con
-> uncommented:
Code Select
debug.log-response-header = "enable"
debug.log-request-header = "enable"In the file: /usr/local/etc/lighttpd/conf.d/access_log.conf
I changed syslog-level from 6 to 7
Code Select
accesslog.syslog-level = 7I uncommented this line:
Code Select
accesslog.use-syslog = "enable"and commented out:
Code Select
accesslog.filename = log_root + "/access.log"After that I restarted lighttpd:
Code Select
configctl webgui restart
/usr/local/etc/rc.restart_webgui
I also rebooted the node.
Though after doing all that, I could not see any additional logfiles being written to /var/log/lighttpd/ and the default one still only contains the informational data:
Code Select
2025-12-09T21:56:04
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:21:56:04 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"I also checked dmesg, but that did also not contain the debug logs of lighttpd, maybe this is something trivial that I'm missing with my limited FreeBSD knowledge.
Maybe someone knowns what I'm doing wrong?
I also did some further tests with curl on http2/ http1.1 if this sparks any idea for someone reading this?
Here directly via IP using http2
Code Select
⚡tobia ❯❯ ./curl -vk --http2 https://10.50.20.1
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Trying 10.50.20.1:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
* start date: May 12 14:22:51 2024 GMT
* expire date: Jun 13 14:22:51 2025 GMT
* issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
* Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* SSL certificate verification failed, continuing anyway!
* Established connection to 10.50.20.1 (10.50.20.1 port 443) from 192.168.1.200 port 53262
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://10.50.20.1/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 10.50.20.1]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: 10.50.20.1
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< set-cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< set-cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:21:34 GMT; Max-Age=3600; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: same-origin
< content-type: text/html; charset=UTF-8
< strict-transport-security: max-age=31536000
< accept-ranges: bytes
< content-length: 2789
< date: Tue, 09 Dec 2025 20:21:33 GMT
< server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<title>Login | OPNsense</title>
<link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
<link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">
<script src="/ui/js/jquery-3.5.1.min.js"></script>
<script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>
<script>
$( document ).ready(function() {
$.ajaxSetup({
'beforeSend': function(xhr) {
xhr.setRequestHeader("X-CSRFToken", "Mg_cQQ_BwGrt5cZfGZCH2Q" );
}
});
});
</script>
</head>
<body class="page-login">
<div class="container">
<main class="login-modal-container">
<header class="login-modal-head" style="height:50px;">
<div class="navbar-brand">
<img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
</div>
</header>
<div class="login-modal-content">
<div id="inputerrors" class="text-danger"> </div><br />
<form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="QdgI-W_IbDP7V2LuCt37pw" value="Mg_cQQ_BwGrt5cZfGZCH2Q" autocomplete="new-password" />
<div class="form-group">
<label for="usernamefld">Username:</label>
<input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
</div>
<div class="form-group">
<label for="passwordfld">Password:</label>
<input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
</div>
<button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>
</form>
</div>
</main>
<div class="login-foot text-center">
<a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025 <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
</div>
</div>
</body>
</html>
* Connection #0 to host 10.50.20.1:443 left intactHere using zoraxy with http2
Code Select
⚡tobia ❯❯ ./curl -vk --http2 https://opnsense.XXX.dev
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
* Trying 10.10.20.9:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.XXX.dev
* start date: Nov 14 12:53:44 2025 GMT
* expire date: Feb 12 12:53:43 2026 GMT
* issuer: C=US; O=Let's Encrypt; CN=R12
* Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* SSL certificate verification failed, continuing anyway!
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from 192.168.1.200 port 53371
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://opnsense.XXX.dev/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: opnsense.XXX.dev]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: opnsense.XXX.dev
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/2 400
< content-type: text/html
< date: Tue, 09 Dec 2025 20:24:22 GMT
< server: OPNsense
< content-length: 162
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>400 Bad Request</title>
</head>
<body>
<h1>400 Bad Request</h1>
</body>
</html>
* Connection #0 to host opnsense.XXX.dev:443 left intactHere directly via IP using http1.1
Code Select
⚡tobia ❯❯ ./curl -vk --http1.1 https://10.50.20.1
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Trying 10.50.20.1:443...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
* start date: May 12 14:22:51 2024 GMT
* expire date: Jun 13 14:22:51 2025 GMT
* issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
* Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* SSL certificate verification failed, continuing anyway!
* Established connection to 10.50.20.1 (10.50.20.1 port 443) from 192.168.1.200 port 53497
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.50.20.1
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:28:14 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: same-origin
< Content-type: text/html; charset=UTF-8
< Strict-Transport-Security: max-age=31536000
< Accept-Ranges: bytes
< Content-Length: 2789
< Date: Tue, 09 Dec 2025 20:28:14 GMT
< Server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<title>Login | OPNsense</title>
<link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
<link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">
<script src="/ui/js/jquery-3.5.1.min.js"></script>
<script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>
<script>
$( document ).ready(function() {
$.ajaxSetup({
'beforeSend': function(xhr) {
xhr.setRequestHeader("X-CSRFToken", "QHvHZSgsipJdn7QCOlywiA" );
}
});
});
</script>
</head>
<body class="page-login">
<div class="container">
<main class="login-modal-container">
<header class="login-modal-head" style="height:50px;">
<div class="navbar-brand">
<img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
</div>
</header>
<div class="login-modal-content">
<div id="inputerrors" class="text-danger"> </div><br />
<form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="H6oJ5FEb0wUfRprByrj2DQ" value="QHvHZSgsipJdn7QCOlywiA" autocomplete="new-password" />
<div class="form-group">
<label for="usernamefld">Username:</label>
<input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
</div>
<div class="form-group">
<label for="passwordfld">Password:</label>
<input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
</div>
<button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>
</form>
</div>
</main>
<div class="login-foot text-center">
<a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025 <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
</div>
</div>
</body>
</html>
* Connection #0 to host 10.50.20.1:443 left intactHere using http1.1 and directly via IP:
Code Select
⚡tobia ❯❯ ./curl -vk --http1.1 https://opnsense.XXX.dev
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
* Trying 10.10.20.9:443...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=*.XXX.dev
* start date: Nov 14 12:53:44 2025 GMT
* expire date: Feb 12 12:53:43 2026 GMT
* issuer: C=US; O=Let's Encrypt; CN=R12
* Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* SSL certificate verification failed, continuing anyway!
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from 192.168.1.200 port 53562
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.XXX.dev
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Length: 2789
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 09 Dec 2025 20:30:14 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Referrer-Policy: same-origin
< Server: OPNsense
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:30:14 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
<
<!doctype html>
<html lang="en-US" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<title>Login | OPNsense</title>
<link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
<link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">
<script src="/ui/js/jquery-3.5.1.min.js"></script>
<script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>
<script>
$( document ).ready(function() {
$.ajaxSetup({
'beforeSend': function(xhr) {
xhr.setRequestHeader("X-CSRFToken", "vCn25poe5-7duF4xaGVFqg" );
}
});
});
</script>
</head>
<body class="page-login">
<div class="container">
<main class="login-modal-container">
<header class="login-modal-head" style="height:50px;">
<div class="navbar-brand">
<img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
</div>
</header>
<div class="login-modal-content">
<div id="inputerrors" class="text-danger"> </div><br />
<form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="Y-eTdSKnnMVkTXU-RgdR8g" value="vCn25poe5-7duF4xaGVFqg" autocomplete="new-password" />
<div class="form-group">
<label for="usernamefld">Username:</label>
<input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
</div>
<div class="form-group">
<label for="passwordfld">Password:</label>
<input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
</div>
<button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>
</form>
</div>
</main>
<div class="login-foot text-center">
<a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025 <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
</div>
</div>
</body>
</html>
* Connection #0 to host opnsense.XXX.dev:443 left intact #28
German - Deutsch / Re: Umbau Netzwerk/Rules
Last post by kosta - December 09, 2025, 09:56:38 PMEs ist ein 16er Netz, also 10.20.0.0/16. Die IPs beginnnen ab 10.20.1.0/16. Nichts seltsames dabei glaub ich :)
Ich hab auch kein 24er Netz mehr.
Ich hab auch kein 24er Netz mehr.
#29
Virtual private networks / Re: Need WireGuard Peers with ...
Last post by mattlach - December 09, 2025, 09:55:06 PMQuote from: Monviech (Cedrik) on December 08, 2025, 09:27:45 PMYou wrote quite an essay there.
The model comma separates values automatically. Just enter a range without comma, press tab, enter the next range without comma, and so on.
Thank you for your response.
You are correct. I was mistaken.
I must have gone too fast and just used a comma to separate the IP fields, causing the frontend to reject it. If I do not use a comma it allows me to save the configuration.
Sadly, it still does not work. I had assumed that my problems were due to an "Allowed IP's" overlap, but it turns out that this is only a problem within the same instance. I have two separate instances, so this should not be an issue.
Something else weird is going on.
I'll be humming along with wg0 working just fine connected to my external server and routing all traffic through it. Then as soon as I click "enable" and "apply" on wg1, a wireguard server for my roadwarrioir hpone setup, wg0 shits a brick.
Connectivity becomes intermittent and slow, and things just fall apart.
The funny part is wg1 works just fine. My phone can connect and access both my internal LAN and the external internet exiting via wg0.
I don't think it is an MTU issue, as the two tunnels are independent of each other, so there is no double encapsulation. With routing disabled in the instance, it also should not be a routing issue.
But I can't for the life of my figure out why enabling wg1 harms wg0.
Any suggestions?
"Disable Route
#30
25.7, 25.10 Series / Re: Unwanted route that keeps ...
Last post by abenaou - December 09, 2025, 09:51:59 PMQuote from: Patrick M. Hausen on December 07, 2025, 09:38:51 PMIf the DHCP server in LAN98 sends a default gateway that is the cause for your static route. Don't use DHCP or any dynamic configuration for anything but WAN.This was indeed the solution to the problem, thank you so much.
But why is it that only one single host has this issue and the others work just fine?
