"Recent posts
#21
25.7, 25.10 Series / Re: Transparent Filtering Brid...
Last post by Patrick M. Hausen - November 15, 2025, 07:03:51 PMWhat are your specific questions? Just go ahead and ask them ;-)
You have read the documentation on transparent filtering bridge?
You have read the documentation on transparent filtering bridge?
#22
Hardware and Performance / Re: OPNsense on VMware
Last post by meyergru - November 15, 2025, 06:59:37 PMSince ZFS is a COW filesystem, it will usually be consistent, unlike UFS. But redundancy would probably better be left to the "real" storage layer.
#23
Hardware and Performance / OPNsense on VMware
Last post by spetrillo - November 15, 2025, 06:52:45 PMHello all,
My client runs an OPNsense firewall on VMware. It runs really well and takes no real resources. I am building a replacement 25.7 firewall. As I got to the storage config I stopped thinking...should I allocate two disks and run these in a ZFS raid 1 pair. Well can someone comment if this makes any sense under VMware?
Thanks,
Steve
My client runs an OPNsense firewall on VMware. It runs really well and takes no real resources. I am building a replacement 25.7 firewall. As I got to the storage config I stopped thinking...should I allocate two disks and run these in a ZFS raid 1 pair. Well can someone comment if this makes any sense under VMware?
Thanks,
Steve
#24
General Discussion / Re: Can’t get the shaper on OP...
Last post by meyergru - November 15, 2025, 06:51:45 PMYou need the pipe first as in the howto, with the total available WAN bandwidth.
Then you need two queues for LAN and GUEST referencing that same pipe and weights to define the relative priorities as in the howto.
Last, you define the LAN and GUEST rules referencing the resprective queue. They both use the WAN interface, apart from that they have for the LAN rule:
interface = WAN
proto = ip
source = any
src-port = any
destination = 192.168.x.0/24 (whatever your LAN network has)
dst-port = any
target = LAN-Queue
and for the GUEST rule:
interface = WAN
proto = ip
source = any
src-port = any
destination = 192.168.y.0/24 (whatever your GUEST network uses)
dst-port = any
target = GUEST-Queue
You probably used the LAN and GUEST interfaces in the rules, that will not work.
Then you need two queues for LAN and GUEST referencing that same pipe and weights to define the relative priorities as in the howto.
Last, you define the LAN and GUEST rules referencing the resprective queue. They both use the WAN interface, apart from that they have for the LAN rule:
interface = WAN
proto = ip
source = any
src-port = any
destination = 192.168.x.0/24 (whatever your LAN network has)
dst-port = any
target = LAN-Queue
and for the GUEST rule:
interface = WAN
proto = ip
source = any
src-port = any
destination = 192.168.y.0/24 (whatever your GUEST network uses)
dst-port = any
target = GUEST-Queue
You probably used the LAN and GUEST interfaces in the rules, that will not work.
#25
25.7, 25.10 Series / Transparent Filtering Bridge c...
Last post by Jose - November 15, 2025, 06:48:32 PMHello, I'm really sorry if this was asked previously but I have some specific question regarding a typical Transparent Filtering Bridge configuration.
I was using OPNsense for several years without any issues so far, however I've recently switched from a standard setup to the Transparent Filtering Bridge mode because switched from DSL to an CGNAT/ISP, so I have some questions in regards some setting which typically differs from the OPNsense TFB how-to documentation
This is my current TFB setup(IPv6 is disabled):
My question is if the above TFB configuration looks acceptable since I had set the IPv4 to DHCP on the [WAN] interface, otherwise OPNsense is unable to be upgrade as expected since there's no route to host.
OPNsense and zenarmor how-to's both specify to set the IPv4's to NONE but in my case I had to set it, the TFB rules seems to work as intended however is there any security implication leaving the [WAN] IPv4 set to DHCP alway plus the required rule to "Allow All" in such IF?
I could disable and set it back to NONE after OPNsense upgrades and reboot but that is a bit of a hassle.
PS the [ADM] interface is only for local administration, also sorry as I've push Post instead Preview while writing.
Regards
I was using OPNsense for several years without any issues so far, however I've recently switched from a standard setup to the Transparent Filtering Bridge mode because switched from DSL to an CGNAT/ISP, so I have some questions in regards some setting which typically differs from the OPNsense TFB how-to documentation
This is my current TFB setup(IPv6 is disabled):
Code Select
Interfaces: [WAN] -> igb0
IPv4 Configuration Type: DHCP (It was: NONE)
IPv6 Configuration Type: NONE (It was: DHCPv6)
Interfaces: [LAN] -> igb1
IPv4 Configuration Type: NONE
IPv6 Configuration Type: NONE (It was: Track Interface)
Interfaces: [TFB] -> igb0 + igb1
IPv4 Configuration Type: NONE
IPv6 Configuration Type: NONE
Interfaces: [ADM] -> vtnet0
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: NONE
My question is if the above TFB configuration looks acceptable since I had set the IPv4 to DHCP on the [WAN] interface, otherwise OPNsense is unable to be upgrade as expected since there's no route to host.
OPNsense and zenarmor how-to's both specify to set the IPv4's to NONE but in my case I had to set it, the TFB rules seems to work as intended however is there any security implication leaving the [WAN] IPv4 set to DHCP alway plus the required rule to "Allow All" in such IF?
I could disable and set it back to NONE after OPNsense upgrades and reboot but that is a bit of a hassle.
PS the [ADM] interface is only for local administration, also sorry as I've push Post instead Preview while writing.
Regards
#26
25.7, 25.10 Series / Understanding Logging or an is...
Last post by dotsch - November 15, 2025, 06:26:24 PMHello,
I comming from pfSense and migrated to OpnSense. Not shure, if it's an understanding problem or a other issue.
Using Maltrail, IDS/IPS and Crowdsec. In the floating firewall rules I have some IPBLs blocklist to block incoming and outgoing to ToR, DROP, ET and some more. Also a VoIP NAT into one of the DMZ interfaces.
In the IDS/IPS, Crodsec and Maltrail and also in the firewall log I did not get any log alerts for connection attempts, like some bot nets. I expected, that in Suricatta, Maltrail and these attempts would be alerted.
Some time ago, I got also some Surricata and Maltrail alerts.
I this behaviour OK? Or I am wrong or is there an issue?
I comming from pfSense and migrated to OpnSense. Not shure, if it's an understanding problem or a other issue.
Using Maltrail, IDS/IPS and Crowdsec. In the floating firewall rules I have some IPBLs blocklist to block incoming and outgoing to ToR, DROP, ET and some more. Also a VoIP NAT into one of the DMZ interfaces.
In the IDS/IPS, Crodsec and Maltrail and also in the firewall log I did not get any log alerts for connection attempts, like some bot nets. I expected, that in Suricatta, Maltrail and these attempts would be alerted.
Some time ago, I got also some Surricata and Maltrail alerts.
I this behaviour OK? Or I am wrong or is there an issue?
#27
General Discussion / Can’t get the shaper on OPNsen...
Last post by robert.haugen@gmail.com - November 15, 2025, 06:25:32 PMI want the LAN network to have priority for download traffic.
When the network is not congested, the GUEST network should still have full speed.
However, when both LAN and GUEST are heavily used, LAN should receive significantly higher priority.
I've tried all combinations of Pipes, Queues, and Rules without success.
Reference:
https://docs.opnsense.org/manual/how-tos/shaper_prioritize_using_queues.html
For testing, I'm using two Debian Linux clients — one on LAN and one on GUEST — running the "Speedtest by Ookla" CLI tool.
When the network is not congested, the GUEST network should still have full speed.
However, when both LAN and GUEST are heavily used, LAN should receive significantly higher priority.
I've tried all combinations of Pipes, Queues, and Rules without success.
Reference:
https://docs.opnsense.org/manual/how-tos/shaper_prioritize_using_queues.html
For testing, I'm using two Debian Linux clients — one on LAN and one on GUEST — running the "Speedtest by Ookla" CLI tool.
#28
General Discussion / Re: OPNsense VLANs Configurati...
Last post by Patrick M. Hausen - November 15, 2025, 04:06:50 PMDnsmasq is essentially a one person project. Also it tries to do way too many things simultaneously, IMHO. Doesn't even have a Github repo, it's hosted on a private server.
Kea is the official successor to DHCPd by ISC or the "Internet Software Consortium". They also gave us BIND. Founded by a certain Paul Vixie, you might have heard of him.
I know on which I am placing my bets.
Kea is the official successor to DHCPd by ISC or the "Internet Software Consortium". They also gave us BIND. Founded by a certain Paul Vixie, you might have heard of him.
I know on which I am placing my bets.
#29
General Discussion / Re: OPNsense VLANs Configurati...
Last post by ebox - November 15, 2025, 03:57:46 PMAs of today, I'm not completely sure, to be honest but I've read in several places that KEA DHCP is the official replacement for ISC DHCP and is actively being developed. Because of that, I figured it might be safer to move in that direction in case Dnsmasq doesn't receive certain features. My main concern is committing to Dnsmasq now and then having to migrate later once I've built up a lot more configuration. It's really just me worrying about missing out.
#30
25.7, 25.10 Series / Re: VLAN can't get an IP addre...
Last post by Patrick M. Hausen - November 15, 2025, 03:56:36 PMIs any of the various DHCP services configured and enabled for these VLANs?
