"Recent posts
#21
General Discussion / Re: Comparison of DHCP service...
Last post by DEC670airp414user - November 08, 2025, 04:54:50 PMHome user running business edition on an official appliance
Moved to kea when it was first suggested and it's run fine since then. A year maybe more?
Decided to try dnsmasq it's surprising to read it's a one man army from the UK. Compared to kea an actual company
Manually moved my kea static mappings over which I was fine with doing its only 17 devices
I had an issue with dnsmasq initially caused by mine own Alias error but since then all devices seem to be more responsive
Still using unbound for dns. Forwarding to either quad 9, nextdns, or controld dns over tls...
Moved to kea when it was first suggested and it's run fine since then. A year maybe more?
Decided to try dnsmasq it's surprising to read it's a one man army from the UK. Compared to kea an actual company
Manually moved my kea static mappings over which I was fine with doing its only 17 devices
I had an issue with dnsmasq initially caused by mine own Alias error but since then all devices seem to be more responsive
Still using unbound for dns. Forwarding to either quad 9, nextdns, or controld dns over tls...
#22
25.7, 25.10 Series / Re: LAN -> WireGuard -> WAN
Last post by spetrillo - November 08, 2025, 04:46:21 PMHow do you have WG configured on the client side? I thought you had to tell it that no IPs are local IPs, so it just routes via OPNsense to the WAN.
#23
25.7, 25.10 Series / Configuration of the LAN Inter...
Last post by spetrillo - November 08, 2025, 04:44:50 PMHello all,
For all my OPNsense deployments I used VLAN 1 as the LAN interface. In VLAN 1 I used to put all my network mgmt connections, so if my firewall was breached the hacker would have access to my network mgmt ports. Not good in my opinion. What I would like to do is configure OPNsense so that the LAN interface is set to a static IP but the subnet is /32. I will move my network mgmt connections to VLAN 2, and so on from there.
If this works should I setup static routes to the rest of the subnets being used or just let OPNsense handle it via layer 2? In my mind it should work but then I have never done it and wanted to check with the community.
Thanks,
Steve
For all my OPNsense deployments I used VLAN 1 as the LAN interface. In VLAN 1 I used to put all my network mgmt connections, so if my firewall was breached the hacker would have access to my network mgmt ports. Not good in my opinion. What I would like to do is configure OPNsense so that the LAN interface is set to a static IP but the subnet is /32. I will move my network mgmt connections to VLAN 2, and so on from there.
If this works should I setup static routes to the rest of the subnets being used or just let OPNsense handle it via layer 2? In my mind it should work but then I have never done it and wanted to check with the community.
Thanks,
Steve
#24
25.7, 25.10 Series / Re: cron job parameters for "R...
Last post by Patrick M. Hausen - November 08, 2025, 04:19:43 PMQuote from: Evert on November 06, 2025, 12:57:32 PMOh, and good luck with your disk, Patrick! ;-)
All good now:
Code Select
Self-test Log (NVMe Log 0x06, NSID 0xffffffff)
Self-test status: No self-test in progress
Num Test_Description Status Power_on_Hours Failing_LBA NSID Seg SCT Code
0 Short Completed without error 0 - - - - -
I was lucky, though. I just happened to have some fresh thermal paste at home. I needed it when reassembling the appliance.
Did you try Scrutiny, yet?
#25
25.7, 25.10 Series / Re: Unbound crashes if I add a...
Last post by Jyling - November 08, 2025, 04:10:45 PMGood to know, but this does not help me. The crash is 100% reproducible: add a wildcard - it crashes and fails to restart. Remove the wildcard - it restarts. This is not something that users should discuss among ourselves but rather something that dev team should become concerned about.
#26
25.7, 25.10 Series / LAN -> WireGuard -> WAN
Last post by mistra666 - November 08, 2025, 02:31:47 PMEven after completing additional settings with the gateway configuration for Wireguard,
we are still unable to successfully pass traffic from LAN -> WireGuard -> WAN Bridge (vmxnet VMware ESX).
The Wireguard tunnel is established, DNS resolves the hostname of the Wireguard tunnel. But traffic does not pass through.
The instructions were used https://www.alexmoch.com/blog/mullvad-wireguard-vpn-in-opnsense-dual-stack/
In my case, "LAN" + "INT" are the same interface "LAN" (no management interface).
OPNsense 23.1.11_1 work fine, without WireGuard keepalive and without change default gateway policy https://forum.opnsense.org/index.php?topic=38944.msg223782#msg223782
we are still unable to successfully pass traffic from LAN -> WireGuard -> WAN Bridge (vmxnet VMware ESX).
The Wireguard tunnel is established, DNS resolves the hostname of the Wireguard tunnel. But traffic does not pass through.
The instructions were used https://www.alexmoch.com/blog/mullvad-wireguard-vpn-in-opnsense-dual-stack/
In my case, "LAN" + "INT" are the same interface "LAN" (no management interface).
OPNsense 23.1.11_1 work fine, without WireGuard keepalive and without change default gateway policy https://forum.opnsense.org/index.php?topic=38944.msg223782#msg223782
#27
25.7, 25.10 Series / Weird behaviour when checking ...
Last post by pato - November 08, 2025, 02:25:54 PMHi
I was checking for updates today, as I saw that there were two new releases out.
When the update check started, I was unable to access the web interface anymore, got an Error 404. Also SSH stopped working. Mind you, I didn't actually start to install updates, but feared that the new package manager might have caused the issue.
After a while waiting (some 30 minutes) I plugged in a VGA screen and everything was looking good. I then did a manual update from the CLI menu, which went fine and if I read it correctly, did the update of the package manager during that. Web interface/ssh was still not accessible though. I then selected option 11 to restart the services, which also didn't bring the web interface back. On CLI everything was looking good though, at least on first glance.
Then I got the idea to access with a second client and the interface worked. Afterwards I checked the live logs and saw that my initial client was actually dropped because of "sshlockout" to the web interface. The client is local in the same LAN segment as the OPNsense router.
I went forward and disabled this Advanced setting and access was possible again.
Any idea why this happened?
Thanks
pato
I was checking for updates today, as I saw that there were two new releases out.
When the update check started, I was unable to access the web interface anymore, got an Error 404. Also SSH stopped working. Mind you, I didn't actually start to install updates, but feared that the new package manager might have caused the issue.
After a while waiting (some 30 minutes) I plugged in a VGA screen and everything was looking good. I then did a manual update from the CLI menu, which went fine and if I read it correctly, did the update of the package manager during that. Web interface/ssh was still not accessible though. I then selected option 11 to restart the services, which also didn't bring the web interface back. On CLI everything was looking good though, at least on first glance.
Then I got the idea to access with a second client and the interface worked. Afterwards I checked the live logs and saw that my initial client was actually dropped because of "sshlockout" to the web interface. The client is local in the same LAN segment as the OPNsense router.
I went forward and disabled this Advanced setting and access was possible again.
Any idea why this happened?
Thanks
pato
#28
25.7, 25.10 Series / Re: Looking for testers Q-Feed...
Last post by Q-Feeds - November 08, 2025, 02:25:17 PMQuote from: passeri on November 08, 2025, 10:37:01 AMQuote from: Q-Feeds on November 08, 2025, 09:48:45 AMinteresting to see that you experience outbound connections to itThat "interesting" could be carrying a lot of freight. The attempted connections were for a short period then ceased. The machine which sourced them has Sophos Premium running on it and no open ports. The router which trapped them is internal, not at the edge, looking only at outgoing traffic, Community key for Q-feeds. The Plus key is on the edge so it saw nothing of this.
I tried the threat lookups again. They worked in Safari, not in Mullvad (Firefox), "network error". Everything is latest versions.
Plus has everything community + more. So I have no clue why your edge router didn't catch that activity !? Or am I misunderstanding something?
#29
25.7, 25.10 Series / Re: Looking for testers Q-Feed...
Last post by Q-Feeds - November 08, 2025, 02:21:03 PMQuote from: vk2him on November 08, 2025, 11:45:35 AMQuote from: Q-Feeds on November 08, 2025, 09:41:38 AMThat's very interesting, but we're glad that issue is solved now. Now regarding the events tab, that's an interesting find as well. Just to be sure, you haven't disabled logging on the rules? And you do see blocks in the dashboard widget?
Does this command dump logs ? "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs"
The rules have the logging enabled - I shared a screenshot in my previous reply of the live logs showing my test was blocked. Yes the dashboard widget shows a large blocked number.
The command gives an error:Code Selectroot@OPNsense:~ # /usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py", line 50, in <module>
for msg in getattr(actions, action)():
File "/usr/local/opnsense/scripts/qfeeds/lib/__init__.py", line 187, in logs
yield ujson.dumps({'rows': PFLogCrawler(feeds).find()})
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 75, in find
result.append(self._parse_log_line(line))
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/opnsense/scripts/qfeeds/lib/log.py", line 64, in _parse_log_line
return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
~~~~~~~^^^
IndexError: list index out of range
Thanks
Sorry didn't check that thoroughly. Seems that somehow your filter_*.log got corrupted. Did you have any system crashes, disk full, or power loss events lately? I think its best to log a bug report on the GitHub plugin repository: https://github.com/opnsense/plugins/issues
If you want I can do that for you but I'm not able to reproduce it. It should solve eventually if your logs get rotated.
#30
General Discussion / Re: Opnsense NordVPN does not ...
Last post by meyergru - November 08, 2025, 02:03:41 PM8. Add a kill switch (step 11):
You cannot view this attachment.
9. Add a kill switch for IPv6:
You cannot view this attachment.
The floating firewall rules should be arranged like so afterwards:
You cannot view this attachment.
Oh, and BTW: The NORDVPN wireguard interface must not block RFC1918 addresses:
You cannot view this attachment.
It has also to be noted that this way, local access is still possible (which it should, so you can control your VPN clients or transfer files), however, you have to implement steps to prevent DNS leaks (check if this works with https://www.dnsleaktest.com/).
You cannot view this attachment.
9. Add a kill switch for IPv6:
You cannot view this attachment.
The floating firewall rules should be arranged like so afterwards:
You cannot view this attachment.
Oh, and BTW: The NORDVPN wireguard interface must not block RFC1918 addresses:
You cannot view this attachment.
It has also to be noted that this way, local access is still possible (which it should, so you can control your VPN clients or transfer files), however, you have to implement steps to prevent DNS leaks (check if this works with https://www.dnsleaktest.com/).
