Recent posts

#21
25.7, 25.10 Series / Re: DuckDB-related DNS/DHCP ou...
Last post by mawa2559 - Today at 12:56:10 AM
Well, a few days later and I'm really spinning my wheels.

With hostwatch disabled things were more stable for about 48 hours but the problems returned, only slightly different. DNS gets spotty but DHCP no longer drops out, however opnsense's IPv4 address becomes unreachable and unable to be pinged by any devices on the network. I can still log in to the webgui and am not seeing any helpful messages in any logs I can find.

For now, I've rolled DNS and DHCP over to a pihole docker container I was using previously - this has made things MUCH more stable, however the IPv4 address of opnsense still becomes unpingable 1-2x per day for seemingly no reason, continuing to cause network dropouts. Before the IPv4 address becomes unreachable, I can see https GET requests for URLs on the public internet start timing out intermittently. I'm going to try and get more metrics from opnsense using an additional node exporter but at this point I'm planning to get it off the network if I can't identity the cause and fix it soon.
#22
26.1 Series / Re: Suricata - Divert (IPS)
Last post by xpendable - Today at 12:22:19 AM
That's true, my OPNsense runs as a VM on XCP-ng, however I use SR-IOV with Intel X710 NICs. So never had an issue with using Netmap, but using the Divert method is way more efficient on memory usage. I have 16GB of memory allocated and before the memory would typically sit at 40-50% usage. I just checked and it's now down to about 10%. Will probably reduce the memory allocation in the near future as the system obviously doesn't need it anymore.
#23
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - Today at 12:03:35 AM
Here are the log files I sent Simon

https://drive.google.com/file/d/1N16fclaKNR6PaC3_f82hPn-mGaoRsuzI/view?usp=sharing

I couldn't post them directly here.
#24
26.1 Series / Re: RTSP proxy does not work a...
Last post by JGeek00 - January 30, 2026, 11:57:43 PM
It's not. It was originally developed by someone else but I ended up taking that code, applying some fixes and installing manually on my machine. It has been doing its job since then. After upgrading from 25.7.11 to 26.1 it still worked in terms of not crashing, but it wasn't doing it's job because it can no longer capture the requests that the tv box sends to the RTSP server. I never submitted the plugin to the plugins repo because I think the code quality is not good enough to be used by someone else (I'm not a python dev, I fixed it just enough for it to work), but it was doing its job for me. I started using it with OPNsense 24 and it never failed or crashed. And as far I know there's no "compatibility mode" for the firewall on 26.1 that would allow me to continue using the plugin. Also on that plugins list I see that igmp-proxy is no longer maintained (I also use it). I'm a bit concerned that some future update will include a breaking change that will cause also igmp-proxy to stop working.
#25
25.7, 25.10 Series / Re: Dnsmasq stops occasionaly
Last post by ligand - January 30, 2026, 11:57:24 PM
Yup.  I restarted dnsmasq after the update. 




#26
26.1 Series / Re: 26.1 is out!!!
Last post by nero355 - January 30, 2026, 11:32:49 PM
Quote from: OPNenthu on January 30, 2026, 05:42:54 PMUPDATE: to close the loop, I was able to bring the bridge interface down with 'nmcli conn down br0', but the inverse 'nmcli conn up br0' returned success and never actually brought it up.
I followed up with 'nmcli device up br0' and this timed out (failed).

I then used the GUI toggle switch for the parent interface (which was already up in 'ip a' but showed as down in the GUI) and it brought it back up.
However the same toggle switch does not bring the br0 interface down :P

So it's quite an inconsistent mess.  Probably either a Mint / Ubuntu bug, or my configuration is just too complex or I set it up incorrectly.
There are a couple more nmcli options I see mentioned in the man page : Maybe try those too ?

Another option is nmtui which might help.

And if you are in for an adventure you could try configuring networking via SystemD and remove NetworkManager completely like I did last year :)
#27
26.1 Series / Re: OpnSense 25.7.11_9 upgrade...
Last post by franco - January 30, 2026, 11:21:36 PM
QuoteFetching pkg-2.3.1_1: .......... done
pkg-2.5.1: already unlocked
Checking integrity... done (0 conflicting)
Nothing to do.

Is that a new upstream bug?  It should reinstall here and our version does:

QuoteNo packages are required to be fetched.
Integrity check was successful.
pkg-2.3.1_1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
   pkg-2.3.1_1

Number of packages to be reinstalled: 1
[1/1] Reinstalling pkg-2.3.1_1...
[1/1] Extracting pkg-2.3.1_1: .......... done

Checking integrity... done (0 conflicting)

Anyway I'm glad you could solve it.  Upgrading with the wrong pkg version might have been devastating.


Cheers,
Franco
#28
26.1 Series / Re: MiniUPNPD
Last post by franco - January 30, 2026, 11:18:37 PM
I think I found it.  Looks like a feature removal gone wrong:

# opnsense-patch https://github.com/opnsense/core/commit/311184daa8
# /usr/local/etc/rc.filter_configure

It should bring back the required anchors.


Cheers,
Franco
#29
26.1 Series / Re: OpnSense 25.7.11_9 upgrade...
Last post by Noci - January 30, 2026, 10:46:38 PM
That worked out:

Type opnsense
Version 26.1_4
Architecture amd64
Commit 889098cfa
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Repositories OPNsense (Priority: 11)
Updated on Fri Jan 30 22:40:46 CET 2026
Checked on N/A
#30
German - Deutsch / Divert IPS
Last post by juergen2025 - January 30, 2026, 10:36:36 PM
Hallo zusammen,

ich beschäftige mich aktuell mit Suricata/IPS unter OPNsense 26.x und bin dabei über die Dokumentation zu Divert (IPS) in Kombination mit Rules [new] gestolpert.

Mir ist klar, dass es zwei Ansätze gibt: Netmap (IPS) als klassisches, globales IPS ohne zusätzliche Firewall-Regeln und Divert (IPS) mit selektiver Inspektion über ,,Divert-to"-Regeln.

Aktuell nutze ich weiterhin Netmap (IPS), da es für mein Setup stabil und unkompliziert funktioniert. Divert (IPS) wirkt auf mich dagegen deutlich komplexer. Ich bin in dem Thema kein Profi und würde daher gerne wissen, ob Divert primär für sehr granulare, regelbasierte Inspektion gedacht ist oder ob es darüber hinaus konzeptionelle Vorteile gegenüber Netmap gibt? Außerdem interessiert mich, ob Divert als neuer empfohlener Weg gilt oder eher eine Advanced-/Speziallösung ist?

Vielen Dank vorab für eure Einschätzungen!