"Recent posts
#21
German - Deutsch / Umstzellung auf EON Glasfaser ...
Last post by dage - November 21, 2025, 05:37:28 PMHallo zusammen,
ich werde nächste Woche auf EON Glasfaser umgestellt. Bisher Vodafon am Modem. (Modem/OTN -> opnsense -> LAN) Keine Fritzbox oder ähnliches. Das läuft auch schon paar Jahre so.
Jetzt muss ich auf dem WAN VLAN 132 DHCP machen. OK bekomm ich hin.
Ich muss aber auch VLAN 232 auf WAN machen und dann? Jetzt hört mein Wissen auf. Ich kenne es so das man zB den IP Telefonen das VLAN tagged mitgibt und die sich am switch, wo das Vlan auch tagged mitgegeben wird, an der Telefonanlage anmelden.
Meine Fragen:
Reicht es wenn ich das VLAn 232 tagged auf WAN und untagged auf nen Port leg und in dem W70B die Zugangsdaten hinterlege?
Was an FW Regeln muss oder sollte ich erstellen?
Brauch ich nen SIP Proxy oder so was?
Gruß und danke
ich werde nächste Woche auf EON Glasfaser umgestellt. Bisher Vodafon am Modem. (Modem/OTN -> opnsense -> LAN) Keine Fritzbox oder ähnliches. Das läuft auch schon paar Jahre so.
Jetzt muss ich auf dem WAN VLAN 132 DHCP machen. OK bekomm ich hin.
Ich muss aber auch VLAN 232 auf WAN machen und dann? Jetzt hört mein Wissen auf. Ich kenne es so das man zB den IP Telefonen das VLAN tagged mitgibt und die sich am switch, wo das Vlan auch tagged mitgegeben wird, an der Telefonanlage anmelden.
Meine Fragen:
Reicht es wenn ich das VLAn 232 tagged auf WAN und untagged auf nen Port leg und in dem W70B die Zugangsdaten hinterlege?
Was an FW Regeln muss oder sollte ich erstellen?
Brauch ich nen SIP Proxy oder so was?
Gruß und danke
#22
Intrusion Detection and Prevention / Re: Can't download rules
Last post by ljhardy - November 21, 2025, 05:11:05 PMHmm, after about 10 minutes the rules that I attempted to download showed up as installed. I guess I just needed to be patient!!!
#23
General Discussion / Re: Unbound DNS and Adguard an...
Last post by tdukes - November 21, 2025, 05:10:29 PMThanks
I've probably opened a can of worms.
I don't have any alerts. I went into policy and changed it from alert to drop all. My thinking, if they are on the list, I don't want them on my home site/network.
The reason for running Unbound and Adguard, on separate machines, is to try to balance any load that may occur. I'm getting hammered by bad bots.
I've probably opened a can of worms.
I don't have any alerts. I went into policy and changed it from alert to drop all. My thinking, if they are on the list, I don't want them on my home site/network.
The reason for running Unbound and Adguard, on separate machines, is to try to balance any load that may occur. I'm getting hammered by bad bots.
#24
Intrusion Detection and Prevention / Can't download rules
Last post by ljhardy - November 21, 2025, 04:42:50 PMFor example, I check ET open/emerging-current_events and click Download & Update Rules, spinner spins, but not installed is still listed. After trying a bunch of times I was able to get ET open/emerging-attack_response installed, but it doesn't seem to install anything else consistently.
Running 25.7.7_4
Running 25.7.7_4
#25
25.7, 25.10 Series / Re: Block randomized MAC addre...
Last post by BetaPrinz - November 21, 2025, 04:28:10 PMI'm also looking for a way to ignore the random MAC address.
I found something interesting here.
https://community.ui.com/questions/Block-Random-MAC-Addresses/8fbf5f69-b965-4c05-bd2f-aa62548dc35c#answer/e896d1f6-e375-4663-ae15-3c1470c83295
Hopefully I can limit it to one interface.
The manual says:
Ethernet addresses (but not client-ids) may have wildcard bytes, so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore the given range of hardware addresses. Note that the "*" will need to be escaped or quoted on a command line, but not in the configuration file.
I found something interesting here.
https://community.ui.com/questions/Block-Random-MAC-Addresses/8fbf5f69-b965-4c05-bd2f-aa62548dc35c#answer/e896d1f6-e375-4663-ae15-3c1470c83295
Code Select
dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignoreHopefully I can limit it to one interface.
The manual says:
Ethernet addresses (but not client-ids) may have wildcard bytes, so for example --dhcp-host=00:20:e0:3b:13:*,ignore will cause dnsmasq to ignore the given range of hardware addresses. Note that the "*" will need to be escaped or quoted on a command line, but not in the configuration file.
#26
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by franco - November 21, 2025, 03:36:05 PM/var MFS was a very volatile idea for what /var/log was supposed to do. The NetFlow dump in /var/netflow is a historic artifact that predates the removal of /var MFS, but so far it hasn't come up as far as I can remember.
Cheers,
Franco
Cheers,
Franco
#27
German - Deutsch / Re: Problem mit sftp Backup üb...
Last post by harald99 - November 21, 2025, 03:19:20 PMIch komme momentan nicht an die OPNs, aber hab die konfigs und ziehe mir das im vm lab hoch, dann prüfe ich die Routen.
#28
General Discussion / Re: Trouble with VLAN setup on...
Last post by pfry - November 21, 2025, 03:04:54 PMQuote from: User074357 on November 21, 2025, 12:33:14 PMI was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.[...]
It should be, and blocked packets would be logged, assuming default block logging is enabled. Valid sessions would be visible regardless of logging.
How about "Interfaces: Devices: Bridge" and "Interfaces: Overview"?
#29
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by senseOPN - November 21, 2025, 03:04:26 PMQuote from: xavx on November 21, 2025, 02:41:02 PMWhat I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :Code Selectecho -n "Setting up /var/log memory disk..."
mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
echo "done."
ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow
fi
# prep boog log
: > /var/log/boot.log
I also did something similar for the unbound.duckdb.
You'll need to re-apply these changes after each opnsense update as they'll be overwritten.
That's a nice idea, great many thanks!
I am wondering why this is not bound to /var/log anyways - so that it lands in RAM if you decide to configure a RAM disk for this.
#30
25.7, 25.10 Series / Re: SSD get's massively writte...
Last post by xavx - November 21, 2025, 02:41:02 PMWhat I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :
I also did something similar for the unbound.duckdb.
You'll need to re-apply these changes after each opnsense update as they'll be overwritten.
Code Select
echo -n "Setting up /var/log memory disk..."
mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
echo "done."
ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow
fi
# prep boog log
: > /var/log/boot.log
I also did something similar for the unbound.duckdb.
You'll need to re-apply these changes after each opnsense update as they'll be overwritten.
