"Recent posts
#21
General Discussion / Re: NEED WITH HELP OPNSENSE CO...
Last post by iwanttolearn - January 18, 2026, 10:27:26 PMHi meyergru
Thank you so much for the clarity! Now i at least know that i was going in the wrong direction and trying to do the impossible. Also for the tips. I really appreciate it. Ill try and follow the guides you and Patrick posted instead of the videos and AI. To bad for me because the videos made everything so much more simple and easy.
As i already confessed from the beginning i'm kind of new to this all (especially Opnsense) and well aware its for pro"s, but i really want to learn my way around it so i can replace what i have now. Besides, i have to much hours invested already to just quit and give up now.
Do you have anymore tips or references good resources i should checkout that could help me on this journey?
Hi Patrick
Yes i have the following information from my ISP:
- Annex
- Mode: PPPoE
- VLAN
- PPP authentication
- username
- password
Your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface: Yes correct i have this configured. i meant the local ip address to get tho the login portal.
The AP must be configured in "AP" or "bridge" mode: This also im well aware of and was a real pain in the ass to get my head around on Openwrt since im accustomed with ddwrt and in Openwrt its kind of different since they want you to construct/configure the whole bridge from scratch by yourself.
The general idea is for OPNsense to control all aspects of the network: Yes this is what drew my attention and why i want to learn how to use it. I always have been accustomed doing this all in the router it self.
Thank you so much for the clarity! Now i at least know that i was going in the wrong direction and trying to do the impossible. Also for the tips. I really appreciate it. Ill try and follow the guides you and Patrick posted instead of the videos and AI. To bad for me because the videos made everything so much more simple and easy.
As i already confessed from the beginning i'm kind of new to this all (especially Opnsense) and well aware its for pro"s, but i really want to learn my way around it so i can replace what i have now. Besides, i have to much hours invested already to just quit and give up now.
Do you have anymore tips or references good resources i should checkout that could help me on this journey?
Hi Patrick
Yes i have the following information from my ISP:
- Annex
- Mode: PPPoE
- VLAN
- PPP authentication
- username
- password
Your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface: Yes correct i have this configured. i meant the local ip address to get tho the login portal.
The AP must be configured in "AP" or "bridge" mode: This also im well aware of and was a real pain in the ass to get my head around on Openwrt since im accustomed with ddwrt and in Openwrt its kind of different since they want you to construct/configure the whole bridge from scratch by yourself.
The general idea is for OPNsense to control all aspects of the network: Yes this is what drew my attention and why i want to learn how to use it. I always have been accustomed doing this all in the router it self.
#22
German - Deutsch / Re: OpenSense Festplatte läuft...
Last post by Patrick M. Hausen - January 18, 2026, 10:27:24 PMEs gibt ein neues Feature, das das verursachen kann:
Interfaces: Neighbors: Automatic Discovery
Mach einfach aus. Das Forum ist voll mit Threads zu dem Thema. Issues in Github sind auch schon offen.
Interfaces: Neighbors: Automatic Discovery
Mach einfach aus. Das Forum ist voll mit Threads zu dem Thema. Issues in Github sind auch schon offen.
#23
German - Deutsch / OpenSense Festplatte läuft vol...
Last post by Paul_Senger - January 18, 2026, 10:20:30 PMHallo,
heute habe ich bemerkt, dass die OpenSense eine Warnmeldung bringt, dass die Disk vollläuft bzw. kritisch voll ist. Jetzt habe ich zuerst das "flowd.log" im Verdacht gehabt und auch ca. 200MB logfiles gelöscht. Aber das scheint es immernoch nicht zu sein.
Laut "df -h" soll es das rootverzeichnis sein, aber dort sehe ich nichts. Auch das /var/log ist unauffällig. Mich wundern nur die 105GB, die hier angezeigt werden. Die sehe ich nirgendwo verbraucht.
zroot/ROOT/default 1.7G 1.7G 27M 98% /
devfs 1.0K 0B 1.0K 0% /dev
/dev/gpt/efiboot0 260M 1.3M 259M 1% /boot/efi
zroot/var/mail 27M 144K 27M 1% /var/mail
zroot/home 27M 188K 27M 1% /home
zroot/var/audit 27M 96K 27M 0% /var/audit
zroot 27M 96K 27M 0% /zroot
zroot/tmp 28M 1.6M 27M 6% /tmp
zroot/var/tmp 27M 116K 27M 0% /var/tmp
zroot/var/log 105G 105G 27M 100% /var/log
zroot/var/crash 27M 96K 27M 0% /var/crash
zroot/usr/ports 27M 96K 27M 0% /usr/ports
zroot/usr/src 27M 96K 27M 0% /usr/src
devfs 1.0K 0B 1.0K 0% /var/dhcpd/dev
devfs 1.0K 0B 1.0K 0% /var/unbound/dev
/usr/local/lib/python3.11 1.7G 1.7G 27M 98% /var/unbound/usr/local/lib/python3.11
/lib 1.7G 1.7G 27M 98% /var/unbound/lib
Ich stehe jetzt echt auf dem Schlauch. Liegt's vielleicht am letzten Update auf OPNsense 25.7.11_1 ? Ich hatte noch nie das Problem.
Vielen Dank schon mal für Eure Ideen.
Paul
heute habe ich bemerkt, dass die OpenSense eine Warnmeldung bringt, dass die Disk vollläuft bzw. kritisch voll ist. Jetzt habe ich zuerst das "flowd.log" im Verdacht gehabt und auch ca. 200MB logfiles gelöscht. Aber das scheint es immernoch nicht zu sein.
Laut "df -h" soll es das rootverzeichnis sein, aber dort sehe ich nichts. Auch das /var/log ist unauffällig. Mich wundern nur die 105GB, die hier angezeigt werden. Die sehe ich nirgendwo verbraucht.
zroot/ROOT/default 1.7G 1.7G 27M 98% /
devfs 1.0K 0B 1.0K 0% /dev
/dev/gpt/efiboot0 260M 1.3M 259M 1% /boot/efi
zroot/var/mail 27M 144K 27M 1% /var/mail
zroot/home 27M 188K 27M 1% /home
zroot/var/audit 27M 96K 27M 0% /var/audit
zroot 27M 96K 27M 0% /zroot
zroot/tmp 28M 1.6M 27M 6% /tmp
zroot/var/tmp 27M 116K 27M 0% /var/tmp
zroot/var/log 105G 105G 27M 100% /var/log
zroot/var/crash 27M 96K 27M 0% /var/crash
zroot/usr/ports 27M 96K 27M 0% /usr/ports
zroot/usr/src 27M 96K 27M 0% /usr/src
devfs 1.0K 0B 1.0K 0% /var/dhcpd/dev
devfs 1.0K 0B 1.0K 0% /var/unbound/dev
/usr/local/lib/python3.11 1.7G 1.7G 27M 98% /var/unbound/usr/local/lib/python3.11
/lib 1.7G 1.7G 27M 98% /var/unbound/lib
Ich stehe jetzt echt auf dem Schlauch. Liegt's vielleicht am letzten Update auf OPNsense 25.7.11_1 ? Ich hatte noch nie das Problem.
Vielen Dank schon mal für Eure Ideen.
Paul
#24
General Discussion / Re: Ineffective DNS Firewall R...
Last post by Patrick M. Hausen - January 18, 2026, 10:19:18 PMAfter adding the rule, clear the firewall states. If that TV was running all the time, probably there is an active state with "allow" from before you added your rule.
Firewall: Diagnostics: States: Actions
Firewall: Diagnostics: States: Actions
#25
General Discussion / Re: Ineffective DNS Firewall R...
Last post by Drake - January 18, 2026, 10:12:50 PMHello - yes the Quick box is checked for this Rule, which is 3rd in the batting order. It is below two Allow Rules that I described above, for traffic to the PiHoles and to UnboundDNS on the OPNsense box.
It is sitting above the two general Allow Rules at the bottom, which just passes all IPv4 and IPv6 traffic respectively.
I can change the Rule order to put this Block Rule first... will that make a difference? It doesn't seem like it would be important.
For the record, the LG Smart TV network settings shows one of the PiHole DNS IP addresses for its DNS, so it seems like everything is set up right. OPNsense seems to be pretty good at cramming the PiHole DNS addresses down the throat of every LAN client so they behave.
It is sitting above the two general Allow Rules at the bottom, which just passes all IPv4 and IPv6 traffic respectively.
I can change the Rule order to put this Block Rule first... will that make a difference? It doesn't seem like it would be important.
For the record, the LG Smart TV network settings shows one of the PiHole DNS IP addresses for its DNS, so it seems like everything is set up right. OPNsense seems to be pretty good at cramming the PiHole DNS addresses down the throat of every LAN client so they behave.
#26
General Discussion / Re: NEED WITH HELP OPNSENSE CO...
Last post by Patrick M. Hausen - January 18, 2026, 10:04:33 PMAdding to @meyergru - first and foremost, do you *have* the information from your ISP at all?
- username
- password
- VLAN if applicable
You need this. There is no way to configure a working Internet connection without this information.
Apart from that: your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface. Switch to OPNsense LAN, AP and all wired PCs to switch. The AP must be configured in "AP" or "bridge" mode. If the AP is in itself a router and firewall with NAT you won't have much fun. The general idea is for OPNsense to control all aspects of the network.
HTH,
Patrick
- username
- password
- VLAN if applicable
You need this. There is no way to configure a working Internet connection without this information.
Apart from that: your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface. Switch to OPNsense LAN, AP and all wired PCs to switch. The AP must be configured in "AP" or "bridge" mode. If the AP is in itself a router and firewall with NAT you won't have much fun. The general idea is for OPNsense to control all aspects of the network.
HTH,
Patrick
#27
General Discussion / Re: Ineffective DNS Firewall R...
Last post by Patrick M. Hausen - January 18, 2026, 09:58:30 PMQuote from: Drake on January 18, 2026, 09:54:59 PMTo me, this seems like the Firewall should block any port 53 DNS query that isn't going to my PiHoles, but the LG TV seems to bypass this.
Is this rule a "quick" rule, i.e. applied on first match? Is this rule located above all other allow rules in the table view?
Rules are applied in order, for quick rules (the sensible default in almost all cases) first match wins.
#28
General Discussion / Ineffective DNS Firewall Rule?
Last post by Drake - January 18, 2026, 09:54:59 PMHello OPNsense friends;
Over Christmas I decided to take the plunge and step up to OPNsense from my consumer-level router. It has been quite the learning curve and I am still struggling to reach the layman's level of competence. I have searched around the forum but haven't quite found any answers so I hope someone can help explain what is going on.
I am running version 25.7.10, and while everything is pretty stable and working, I have noticed in Zenarmor that my old LG Smart TV is direct-querying dns.google on Port 53. Seems to be the Netflix app on the TV. This is in defiance of a Firewall Rule I have set up that should Block any DNS request that does not go to my redundant PiHole(s):
Action - Block
Interface - LAN
Direction - in
TCP/IP Version - IPv4+IPv6
Protocol - TCP/UDP
Source - LAN net
Destination/Invert - Checked (Use this option to invert the sense of the match)
Destination - PIHOLE_DNS (An alias I set up that contains the IPv4 and IPv6 addresses of my two PiHole instances)
Destination Port Range (DNS)
To me, this seems like the Firewall should block any port 53 DNS query that isn't going to my PiHoles, but the LG TV seems to bypass this.
I also have two other related Rules, one Pass Rule which allows IPv4 & IPv6 traffic to get to the Piholes, and another Pass Rule to allow recursive DNS queries from the PiHoles to UnboundDNS. UnboundDNS takes it from there. They are both ahead in the order from the Block Rule. There is also an unrelated Rule that is fourth in the order, which is a Block Rule for any query on Port 853 (DoT blocking effort).
So, that's the story. Have I set this up wrong? Any advice appreciated. Thanx.
Over Christmas I decided to take the plunge and step up to OPNsense from my consumer-level router. It has been quite the learning curve and I am still struggling to reach the layman's level of competence. I have searched around the forum but haven't quite found any answers so I hope someone can help explain what is going on.
I am running version 25.7.10, and while everything is pretty stable and working, I have noticed in Zenarmor that my old LG Smart TV is direct-querying dns.google on Port 53. Seems to be the Netflix app on the TV. This is in defiance of a Firewall Rule I have set up that should Block any DNS request that does not go to my redundant PiHole(s):
Action - Block
Interface - LAN
Direction - in
TCP/IP Version - IPv4+IPv6
Protocol - TCP/UDP
Source - LAN net
Destination/Invert - Checked (Use this option to invert the sense of the match)
Destination - PIHOLE_DNS (An alias I set up that contains the IPv4 and IPv6 addresses of my two PiHole instances)
Destination Port Range (DNS)
To me, this seems like the Firewall should block any port 53 DNS query that isn't going to my PiHoles, but the LG TV seems to bypass this.
I also have two other related Rules, one Pass Rule which allows IPv4 & IPv6 traffic to get to the Piholes, and another Pass Rule to allow recursive DNS queries from the PiHoles to UnboundDNS. UnboundDNS takes it from there. They are both ahead in the order from the Block Rule. There is also an unrelated Rule that is fourth in the order, which is a Block Rule for any query on Port 853 (DoT blocking effort).
So, that's the story. Have I set this up wrong? Any advice appreciated. Thanx.
#29
General Discussion / Re: Forward local port to WAN...
Last post by teclab - January 18, 2026, 09:16:51 PMIndeed, I am sorry Patrick.
Today I learned a lot!
Today I learned a lot!
#30
German - Deutsch / Re: Alte Hostnamen im Netz
Last post by meyergru - January 18, 2026, 09:08:48 PMJa, klar. Die Namen können immer noch im Leasefile stehen, beispielsweise passiert das, wenn man bei ISC einen Lease in eine Reservierung ändert, die eine andere IP hat. Ich habe den alten Mist immer aus den Dateien manuell rausgelöscht (dazu musst Du den Daemon aber erstmal stoppen, sonst schreibt er das selbe wieder rein).
Ob sich das allerdings noch wirklich lohnt, ist die Frage, in 26.1. (also in knapp zwei Wochen) wandert ISC DHCP in die Plugins und wird nur nicht mehr supported. Ich würde empfehlen, die Gelegenheit zu nutzen und auf Kea oder DNSmasq umzustellen.
Ob sich das allerdings noch wirklich lohnt, ist die Frage, in 26.1. (also in knapp zwei Wochen) wandert ISC DHCP in die Plugins und wird nur nicht mehr supported. Ich würde empfehlen, die Gelegenheit zu nutzen und auf Kea oder DNSmasq umzustellen.
