"Recent posts
#21
Hardware and Performance / Re: N150 / N355 good fits?
Last post by Billy2010 - November 23, 2025, 10:07:35 PMThat would be big news so I asume they don't.
But lets anticipate they eventually might do so.
I do want that IDS/IPS.
CWWK also has these other boards.
Based on a i5 1335u wich should run at 15W.
And a i7 155h at 28W. I find this a bit much but "maybe ok" it also has a 4x sfp+/4x 2.5G.
Pricewise that 155h starts to move up to that of a minisforum a2 but the latter draws 100W.
But lets anticipate they eventually might do so.
I do want that IDS/IPS.
CWWK also has these other boards.
Based on a i5 1335u wich should run at 15W.
And a i7 155h at 28W. I find this a bit much but "maybe ok" it also has a 4x sfp+/4x 2.5G.
Pricewise that 155h starts to move up to that of a minisforum a2 but the latter draws 100W.
#22
Hardware and Performance / Re: N150 / N355 good fits?
Last post by meyergru - November 23, 2025, 09:23:08 PMIDK if zenarmor has finally made the jump to being multithreaded, there was a long ongoing discussion about that. If not, then an N355 will probably do nothing at all over an N150, because it only has more cores.
Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.
Any type of IDS/IPS will stress the CPU way more than pure routing. With an N150 and without IDS, you should get 10G routing throughput (or close to it, because most 82559-based devices cannot really reach full 10G speed.
#23
General Discussion / Re: GUI/Shell crashing
Last post by meyergru - November 23, 2025, 09:17:59 PMI really do not know.
#24
25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...
Last post by Patrick M. Hausen - November 23, 2025, 09:07:21 PMQuote from: johnmcallister on November 23, 2025, 08:56:02 PM*cough* that said, it sure would be nice to be able to copy-and-paste firewall rules between interfaces, say, by ticking the rule-selector checkbox and clicking "copy to Interface X"...
Click the "duplicate" symbol to the right, change interface in the opened rule edit dialog, possibly change some more things like source from "interface1 net" to "interface2 net", save, done. The UI will even take you to the "interface2" rules instead of where you started.
#25
25.7, 25.10 Series / Re: Adding a VLAN takes 26 cli...
Last post by johnmcallister - November 23, 2025, 08:56:02 PMJust chipping in my 2 bits --
While there are a lot of places where Opnsense's web UI could be improved or re-worked, IMO ALL of that sort of intention to polish and optimize the UI/UX -- 100% of it, every last bit -- is secondary, possibly even tertiary, to the reasons I use Opnsense in the first place:
• Stability
• Broad feature set with fine-grained configurability
• Frequent security updates.
Just continuing to keep the above 3 priorities fully-realized, as I believe they are now, is enough to keep me satisfied going forward.
Granted, ones's use case does influence such an opinion. That is to say as a small-time user who runs 3 small separate site networks on Opnsense, I probably only touch firewall rules, VLAN & interface assignments, etc. a few times a year, and when I do, all I care about is that they continue to work as-expected and reliably, regardless of whether it takes me 8 clicks or 58 clicks to make a change.
If I was a network admin in a enterprise setting, configuring one more new Opnsense instances a week, I might have a stronger wish for UI/UX polishing.
(*cough* that said, it sure would be nice to be able to copy-and-paste firewall rules between interfaces, say, by ticking the rule-selector checkbox and clicking "copy to Interface X"... although, thinking that through further, it might grease the rails overmuch towards people making broadly insecure and/or breaking changes to their firewall rule sets.)
While there are a lot of places where Opnsense's web UI could be improved or re-worked, IMO ALL of that sort of intention to polish and optimize the UI/UX -- 100% of it, every last bit -- is secondary, possibly even tertiary, to the reasons I use Opnsense in the first place:
• Stability
• Broad feature set with fine-grained configurability
• Frequent security updates.
Just continuing to keep the above 3 priorities fully-realized, as I believe they are now, is enough to keep me satisfied going forward.
Granted, ones's use case does influence such an opinion. That is to say as a small-time user who runs 3 small separate site networks on Opnsense, I probably only touch firewall rules, VLAN & interface assignments, etc. a few times a year, and when I do, all I care about is that they continue to work as-expected and reliably, regardless of whether it takes me 8 clicks or 58 clicks to make a change.
If I was a network admin in a enterprise setting, configuring one more new Opnsense instances a week, I might have a stronger wish for UI/UX polishing.
(*cough* that said, it sure would be nice to be able to copy-and-paste firewall rules between interfaces, say, by ticking the rule-selector checkbox and clicking "copy to Interface X"... although, thinking that through further, it might grease the rails overmuch towards people making broadly insecure and/or breaking changes to their firewall rule sets.)
#26
25.7, 25.10 Series / Re: WAN interface DNS to Veriz...
Last post by JMini - November 23, 2025, 08:44:30 PMI still saw the Verizon DNS in the logs. I did find the cause in AdGuard though.
"By default, AdGuard Home uses the following reverse DNS resolvers: "71.243.0.12:53", "71.250.0.12:53" "
So, this is for private IP stuff, so I just pointed it to DNSMasq on OPNSense which will resolve IPs for internal DHCP clients
"By default, AdGuard Home uses the following reverse DNS resolvers: "71.243.0.12:53", "71.250.0.12:53" "
So, this is for private IP stuff, so I just pointed it to DNSMasq on OPNSense which will resolve IPs for internal DHCP clients
#27
Web Proxy Filtering and Caching / Re: Nginx SNI SSL passthrough ...
Last post by Slydder - November 23, 2025, 08:34:48 PMHere is the actual config.
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;
user www staff;
worker_processes 1;
#error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/var/run/log,facility=local6,nohostname warn;
events {
worker_connections 1024;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status';
log_format handshake '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Map used in location.conf for proxy_ssl_name
map $ssl_server_name $upstream_sni_name {
default $ssl_server_name;
'' $host;
}
include http_post/*.conf;
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
# UPSTREAM SERVERS
include opnsense_http_vhost_plugins/*.conf;
server {
listen 80;
listen [::]:80;
sendfile On;
server_name ucs-sso-ng.caritas-im-norden.de;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
access_log /var/log/nginx/ucs-sso-ng.caritas-im-norden.de.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/ucs-sso-ng.caritas-im-norden.de.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
proxy_intercept_errors off;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents defined in global http settings
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
return 418;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "532ac9d7-321f-4ce6-a569-8947c1ee60bc";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include 532ac9d7-321f-4ce6-a569-8947c1ee60bc_pre/*.conf;
include 532ac9d7-321f-4ce6-a569-8947c1ee60bc_post/*.conf;
}
}
stream {
# LOG FORMATS
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
log_format anonymized ':: [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
# UPSTREAM SERVERS
upstream upstreama2f569d399594042bd3e87d44972480f {
server 10.200.1.2:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream9f39913216d146b9bba809e04c704161 {
server 10.200.6.2:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream33d1614fde14477b8286c258dbb57a74 {
server 10.200.1.4:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream7ec9246b91294af08d0f2dbd5373f412 {
server 10.200.1.5:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream419f7f5065ef436eae97b504c28d354b {
server 10.200.1.6:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
# upstream maps
map $ssl_preread_server_name $hostmap41cac9dd9a5f4a89a1e0be6c73445cc6 {
sub1.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub2.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub3.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub4.domain.tld upstreama2f569d399594042bd3e87d44972480f;
sub5.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub6.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub7.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub8.domain.tld upstream419f7f5065ef436eae97b504c28d354b;
sub9.domain.tld upstream7ec9246b91294af08d0f2dbd5373f412;
}
include opnsense_stream_vhost_plugins/*.conf;
# servers
server {
listen 443;
access_log /var/log/nginx/stream_843d8674-ab7a-48d0-b4ed-715b2036b605.access.log main;
error_log /var/log/nginx/stream_843d8674-ab7a-48d0-b4ed-715b2036b605.error.log info;
ssl_preread on;
include 843d8674-ab7a-48d0-b4ed-715b2036b605_pre/*.conf;
proxy_pass $hostmap41cac9dd9a5f4a89a1e0be6c73445cc6;
include 843d8674-ab7a-48d0-b4ed-715b2036b605_post/*.conf;
}
}
# mail {
# }
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;
user www staff;
worker_processes 1;
#error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/var/run/log,facility=local6,nohostname warn;
events {
worker_connections 1024;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status';
log_format handshake '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Map used in location.conf for proxy_ssl_name
map $ssl_server_name $upstream_sni_name {
default $ssl_server_name;
'' $host;
}
include http_post/*.conf;
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
# UPSTREAM SERVERS
include opnsense_http_vhost_plugins/*.conf;
server {
listen 80;
listen [::]:80;
sendfile On;
server_name ucs-sso-ng.caritas-im-norden.de;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
access_log /var/log/nginx/ucs-sso-ng.caritas-im-norden.de.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/ucs-sso-ng.caritas-im-norden.de.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
proxy_intercept_errors off;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents defined in global http settings
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
return 418;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "532ac9d7-321f-4ce6-a569-8947c1ee60bc";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include 532ac9d7-321f-4ce6-a569-8947c1ee60bc_pre/*.conf;
include 532ac9d7-321f-4ce6-a569-8947c1ee60bc_post/*.conf;
}
}
stream {
# LOG FORMATS
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
log_format anonymized ':: [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
# UPSTREAM SERVERS
upstream upstreama2f569d399594042bd3e87d44972480f {
server 10.200.1.2:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream9f39913216d146b9bba809e04c704161 {
server 10.200.6.2:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream33d1614fde14477b8286c258dbb57a74 {
server 10.200.1.4:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream7ec9246b91294af08d0f2dbd5373f412 {
server 10.200.1.5:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
upstream upstream419f7f5065ef436eae97b504c28d354b {
server 10.200.1.6:443 weight=1 max_conns=1000 max_fails=1000 fail_timeout=1000;
}
# upstream maps
map $ssl_preread_server_name $hostmap41cac9dd9a5f4a89a1e0be6c73445cc6 {
sub1.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub2.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub3.domain.tld upstream9f39913216d146b9bba809e04c704161;
sub4.domain.tld upstreama2f569d399594042bd3e87d44972480f;
sub5.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub6.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub7.domain.tld upstream33d1614fde14477b8286c258dbb57a74;
sub8.domain.tld upstream419f7f5065ef436eae97b504c28d354b;
sub9.domain.tld upstream7ec9246b91294af08d0f2dbd5373f412;
}
include opnsense_stream_vhost_plugins/*.conf;
# servers
server {
listen 443;
access_log /var/log/nginx/stream_843d8674-ab7a-48d0-b4ed-715b2036b605.access.log main;
error_log /var/log/nginx/stream_843d8674-ab7a-48d0-b4ed-715b2036b605.error.log info;
ssl_preread on;
include 843d8674-ab7a-48d0-b4ed-715b2036b605_pre/*.conf;
proxy_pass $hostmap41cac9dd9a5f4a89a1e0be6c73445cc6;
include 843d8674-ab7a-48d0-b4ed-715b2036b605_post/*.conf;
}
}
# mail {
# }
#28
Web Proxy Filtering and Caching / Nginx SNI SSL passthrough almo...
Last post by Slydder - November 23, 2025, 08:21:31 PMI have a strange situation here with Nginx and SNI SSL passthrough.
I have multiple OPNsense servers running similar configs for similar stacks on the backend.
Basically setup is as follows:
Stream Server is listening on 443 with "Route With" set to "SNI Upstream mapping" and the "SNI Upstream Mapping" is set to the SNI stack
SNI Based Routing has a single entry for all the domainnames are pointing to the correct "Upstream" entries
Upstream has all the correct entries pointing to the correct "Upstream servers"
Upstream Servers list all the correct backend server with IP:port settings priority 1 with 1000 for the rest of the settings.
Now here is where it gets interesting. Once I restart nginx it works great for anywhere between 10 seconds to 1 minute. but then no matter what I do I cat 404 errors 100% of the time after the initial working phase is over.
there are no errors in the logs and DNS is constant and correct.
Anyone have ANY ideas WTF is going on here?
thx
I have multiple OPNsense servers running similar configs for similar stacks on the backend.
Basically setup is as follows:
Stream Server is listening on 443 with "Route With" set to "SNI Upstream mapping" and the "SNI Upstream Mapping" is set to the SNI stack
SNI Based Routing has a single entry for all the domainnames are pointing to the correct "Upstream" entries
Upstream has all the correct entries pointing to the correct "Upstream servers"
Upstream Servers list all the correct backend server with IP:port settings priority 1 with 1000 for the rest of the settings.
Now here is where it gets interesting. Once I restart nginx it works great for anywhere between 10 seconds to 1 minute. but then no matter what I do I cat 404 errors 100% of the time after the initial working phase is over.
there are no errors in the logs and DNS is constant and correct.
Anyone have ANY ideas WTF is going on here?
thx
#29
Zenarmor (Sensei) / Zenarmor Packet Engine Not Sta...
Last post by GuruLee - November 23, 2025, 08:12:56 PMGreetings y'all. I searched back to June in this forum area and couldn't find any related posts, so here goes my issue:
I can no longer start the Zenarmor packet engine and I get these errors in notifications area:
* Error parsing lan interface configuration, bailing out
* Failed initializing network interfaces
netmap_register_if: igc2: NIOCREGIF ioctl failed for the interface: Cannot allocate memory
This issue started occurring after I set the following tunables on my Opnsense firewall:
dev.netmap.buf_num : 1000000
dev.netmap.ring_size : 4096
dev.netmap.generic_ringsize : 4096
dev.igc.0.fc : 0
dev.igc.1.fc : 0
dev.igc.2.fc : 0
hw.igc.max_interrupt_rate : 12000
My firewall was also restarted after making the above changes as well.
Current version and mode:
OPNsense 25.7.7_4-amd64
FreeBSD 14.3-RELEASE-p4
Zenarmor netmap is in emulated mode
I can no longer start the Zenarmor packet engine and I get these errors in notifications area:
* Error parsing lan interface configuration, bailing out
* Failed initializing network interfaces
netmap_register_if: igc2: NIOCREGIF ioctl failed for the interface: Cannot allocate memory
This issue started occurring after I set the following tunables on my Opnsense firewall:
dev.netmap.buf_num : 1000000
dev.netmap.ring_size : 4096
dev.netmap.generic_ringsize : 4096
dev.igc.0.fc : 0
dev.igc.1.fc : 0
dev.igc.2.fc : 0
hw.igc.max_interrupt_rate : 12000
My firewall was also restarted after making the above changes as well.
Current version and mode:
OPNsense 25.7.7_4-amd64
FreeBSD 14.3-RELEASE-p4
Zenarmor netmap is in emulated mode
#30
General Discussion / Re: GUI/Shell crashing
Last post by Mattps - November 23, 2025, 08:12:20 PMI believe the microcode update is in the latest BIOS update, which I have installed. I'll have a look at the other posts. Do you think this is an issue with the HP T730 or the PCIe NIC?
