Recent posts

#21

25.7, 25.10 Series / Re: openvpn instances

Last post by viragomann - January 17, 2026, 09:36:11 PM

Yes but I have 2 ppoe WANs with a non static IP (which I would like to use as WANs for client services).

You can configure outbound NAT rule to translate the source IP in either WAN address.

#22

25.7, 25.10 Series / Re: openvpn instances

Last post by tbs - January 17, 2026, 09:06:55 PM

I'd rather do it for client services. As some IPs on my subnets are using VPN connection to other remote networks.

#23

25.7, 25.10 Series / Re: DNSMASQ IPSET update delay...

Last post by metacyx - January 17, 2026, 09:03:54 PM

I'm running the same setup for traffic splitting, and yeah, I've noticed that slight lag right when dnsmasq kicks the IP into the alias. It's a bit of a pain because you end up having to hit refresh on the client side once just to get everything to connect properly.

#24

25.7, 25.10 Series / Re: 25.7.11 GeoIP

Last post by MoonbeamFrame - January 17, 2026, 08:51:23 PM

Thanks Patrick

I had created a new GeoIP alias. Which triggered the download of the respective GeoIP data.

I had also tried editing and saving all the original aliases.

#25

General Discussion / Development / Community / Busi...

Last post by Maurice - January 17, 2026, 08:37:15 PM

Hey everyone,

Inspired by the recent hostwatch experience, I wanted to start a bit of a meta discussion about the Development / Community / Business versions of OPNsense and when to use which. It was my understanding that Development is for public testing, Community is ready for production (although a bit bleeding edge) and Business is extra stable for critical use cases.

From what I see on GitHub and the forum and from my own experience, hostwatch is still in the development phase. For example, a serious issue was reported a month ago and is still open. Nonetheless, it was now moved to the Community version and enabled by default. This feels like a beta test, which I was under the impression you needed to opt-in for by switching to the Development version.

Not blaming anyone, just interested in your opinions about what level of maturity you (can) expect in which version.

Development = beta, Community = stable, Business = extra stable?
Or Development = alpha, Community = beta, Business = stable?

Personally, I mostly use the Community version and occasionally switch to Development when I really need a feature which has not yet been released.

Cheers
Maurice

#26

25.7, 25.10 Series / Re: 25.7.11 GeoIP

Last post by Patrick M. Hausen - January 17, 2026, 08:31:44 PM

Edit and save the alias again, possibly?

#27

General Discussion / Re: Forward local port to WAN...

Last post by viragomann - January 17, 2026, 07:54:26 PM

From my desktop PC I do:
Code Select Expand

Code Select Expand

ssh -L 88:192.168.33.1:80 root@opnsense
And then doing http://opnsense:88 I get forwarded to the modem.

I see. So you want to tunnel the traffic through SSH for security reasons or whatever.

But I don't think that this will be doable. I don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.

You investigate this by running packet capture on the LAN and on loopback.

#28

25.7, 25.10 Series / Re: hostwatch at 100% CPU

Last post by s1l3nce - January 17, 2026, 07:43:37 PM

Nothing is going to be worse, just disable it.

Interfaces: Neighbors: Automatic Discovery

It fills in a missing feature people coming from consumer routers like Fritzbox got used to and frequently demanded: show an overview of all devices in my network.

More useless garbage that we didn't ask for..... Why can't this be a plugin that those folks can install separately and not brick our routers.... I have a 16Gig hostwatch log this morning, lose gui, forced to restart to recover...  Definitely not a professional group here....

Yep, that new feature broke my WebUI because it filled up the storage completely ( /var/log/hostwatch/hostwatch_20260116.log was more than 100 Gigs).

People reporting high CPU usage with this update is probably related to this also.
Here is the explanation -> https://github.com/opnsense/hostwatch/issues/8

#29

25.7, 25.10 Series / Re: upgrade to 25.7.2 from 25....

Last post by lebowski - January 17, 2026, 07:36:49 PM

I feel pretty stupid. And to think that, at the time when i installed all this cabling, i invested in premium cables, cat7 sftp pimf with shielded connectors, made everything by hand, pulled parts of the cable through cableducts in my walls, used premium shielded cat6 wall sockets, because i wanted to make sure.... THIS wouldn't happen. And yet it did. And i have to say, the cable that probably was causing issues, i can't see anything wrong with it, it just doesnt work. So now, to be extra sure, i placed a temporary cable which soon will be replaced by a brand new factory made cat7 sftp pimf cable (has been ordered, is on it's way). I don't want to have this misery again.

I yet have to check the link you send me for the 700mb archive in the previous post. Do you think it still would be a good idea to try and update firmware for my i210-at controllers? Or is it as they say: "if it works, don't touch it"?

You need a cable tester that can do near/far x-talk testing, continuity tests, etc.

As for i210 NVM updating? It's like many warnings that come with updates, "if you are not trying to fix a specific issue.....".

Can the update make things better? Possibly. I just not sure what metrics you would be measuring. I also lean on the other side of that fence, if they made a new NVM image then why did they make it, they didn't do the effort just for fun, etc.

I also am wary of the china made stuff, the maker of the device could have loaded in their own NVM image, and nobody really knows what that code is. I think the NVM loader tool allows you to extract out a copy of the EEPROM code, from there you could look at it in hex editor or some diff tools to see if it's real Intel code or has been modified (comparing same NVM versions as example). From what I have seen, the bin files are highly padded, way more EEPROM space than actual code, so this gives plenty of room to place more code into the bin and load it in.

This is a big battle for say OPNsense who tries to help support via community forums. Unvalidated hardware is a nightmare to deal with, and here we have a gazillion people using all sorts of hardware along with VM's, and then everyone comes here to complain. If "you" want validation then buy an official OPNsense device. It's that simple.

All that said, I guess the community tries to help the community, but many don't have the skillset to dive in and look around and then fix when fixing is needed.

Can you point me in the right direction for such a cable tester? Which ones, brands , types etc?

#30

25.7, 25.10 Series / Re: upgrade to 25.7.2 from 25....

Last post by lebowski - January 17, 2026, 07:28:54 PM

Well, my new cable fix worked for a short time, only to just fall back to 100mbit full duplex. At that point, i felt beaten and didnt feel like pursueing this any longer, so i used my firewall with 100mbit spead instead of the 125mbit that my isp "gives" me.

Now i just upgraded to 25.7.11_1 and to my surprise, after a reboot, my wan port suddenly shows 1000mbit full duplex, and the various negitionable speeds are all shown for the nic. Will this again be a short lived joy or has there been any change in freebsd / opnsense regarding nic's? I searched but couldn't find any relevant information.

-edit: nevermind, it took les then 10 minutes for the wan interface to fallback to Ethernet autoselect (100baseTX <full-duplex>) 😓