Recent posts

#21

Intrusion Detection and Prevention / Re: Please updating the Defaul...

Last post by marunjar - Today at 01:59:45 PM

Including more comprehensive and regularly updated community lists would significantly improve the default security level of OPNsense installations.

When editing blocklist you can enable advanced mode to get the `URLs of Blocklists` field, where you can add urls to all blocklists you want.
They don't necessarily have to be provided by opnsense itself.

#22

Tutorials and FAQs / Re: OpnSense internet access u...

Last post by Patrick M. Hausen - Today at 01:22:03 PM

Is this a hosted environment? Is the OPNsense VM permitted to use a different MAC address than the host on WAN?

#23

25.7, 25.10 Series / Re: WireGuard + AdGuard Home p...

Last post by user89 - Today at 01:21:00 PM

I could see now that many people have problems with DNS after upgrading to 25.7.10, but with the version before i had have the some issue also.

Other interfaces are sending queries to adguardHome and works fine. The only issue is when i connect under wireguard(Mullvad)

#24

Tutorials and FAQs / Re: OpnSense internet access u...

Last post by Seimus - Today at 01:16:10 PM

(I cannot activate DHCP)

Why? :)
Is this just for testing?

Currently, I can ping other VMs on the same WAN network (they have internet access), andI can ping the Gateway itself, but I have no internet connectivity (i can't ping 8.8.8.8 or 1.1.1.1).

So you ping from the OPN directly?
Assuming the WAN has assigned a Private IP, you can only ping devices from the same subnet as is the WAN on OPN?
Do you have a default route set pointing to WAN?

Regards,
S.

[Hi everyone,]

#25

25.7, 25.10 Series / WireGuard + AdGuard Home plugi...

Last post by user89 - Today at 01:11:35 PM

Hi everyone,

I'm looking for help with an OPNsense setup that mostly works, but breaks when I enforce DNS filtering on a VLAN that uses policy routing through WireGuard.

Environment

Firewall / Router: OPNsense 25.7.10

VPN: WireGuard client to Mullvad

DNS: AdGuard Home official OPNsense plugin

WireGuard: running directly on the OPNsense router

Clients: smartphones, PCs, IoT devices


Network layout

• LAN: 192.168.100.0/24

OPNsense: 192.168.100.1

• VPN / IoT VLAN: 192.168.41.0/24

        Interface: vlan_unifi_wifi_VPN

        Gateway: 192.168.41.1

• WireGuard tunnel address: 10.x.x.x/32 (Mullvad)

Gateway configuration

(System → Routing → Gateways)

WAN gateway

Interface: WAN (DHCP)

Default gateway: Yes

Used for normal LAN traffic



WireGuard (Mullvad) gateway

Interface: WireGuard

Name: Mullvad_WG_GW

Default gateway: No

Monitor IP: configured (public IP / 1.1.1.1)

Status: Online

Used only via policy routing in firewall rules



Goal (important)

I'm intentionally using this design because:

• the vlan_unifi_wifi_VPN network contains IoT devices

• all clients on this VLAN must use filtered DNS

I want:

• to force DNS traffic to AdGuard Home

• to filter selected DNS queries (ads / tracking / domains)

• after DNS filtering, to route all Internet traffic via WireGuard (Mullvad)

Using AdGuard is not optional in this VLAN.



What works

WireGuard itself works:

• ping from WireGuard tunnel → 8.8.8.8 ✅

• ping from 192.168.41.1 → 8.8.8.8 ✅
• Outbound NAT on WireGuard is in place and working
• Mullvad gateway is online
• AdGuard Home receives DNS queries from the VPN VLAN
• If I don't force DNS, Internet access works from the VPN VLAN
• Using WireGuard directly on a phone (WG app) works perfectly

Problem

• When I enable DNS firewall rules on the VPN VLAN:
• AdGuard receives the DNS queries
• DNS resolution works
• BUT clients have no Internet access
• clicking links → timeout
• many apps fail to load

👉 If I disable the DNS firewall rules on vlan_unifi_wifi_VPN, Internet works immediately




Firewall rules – vlan_unifi_wifi_VPN

(order top → bottom)

1) Allow DNS to AdGuard

Action: PASS

Source: 192.168.41.0/24

Destination: 192.168.100.1

Port: 53 TCP/UDP

Gateway: default

2) Internet via Mullvad (policy routing)

Action: PASS

Source: alias VPN_Machines

includes 192.168.41.100–200

Destination: !RFC1918

Gateway: Mullvad_WG_GW

3) Block external DNS

• Action: BLOCK

• Source: 192.168.41.0/24

Destination: any

• Port: 53 TCP/UDP

Firewall rules – LAN

Allow LAN net → any
(no restrictions during troubleshooting)


Additional checks

• Firewall states reset multiple times
• Outbound NAT in Hybrid mode
• Explicit NAT rule:
• Interface: WireGuard
• Source: 192.168.41.0/24
• Translation: Interface address
• WireGuard MTU set to 1420
• Tried MSS clamping via Firewall → Settings → Normalization
• No obvious blocks in firewall logs

Questions

• Is this the correct approach to force DNS through AdGuard on a policy-routed VLAN?
• Are there known issues between:
• AdGuard Home plugin
• policy routing with WireGuard
• blocking external DNS
• Am I forcing/blocking DNS in the wrong place?
• Would floating rules / reply-to / normalization be required here?

Screenshots available for:

gateways

VLAN firewall rules

LAN firewall rules

outbound NAT

WireGuard

AdGuard Home

Thanks in advance for any insight.

#26

Hardware and Performance / Re: Repeatedly Crashing ("Kern...

Last post by AranVink - Today at 01:00:23 PM

I can confirm that as of Dec `25 this problem still exists on OPNSense 25.7.10. I'm running the exact same hardware (T730 and HP NC364T) and I'm getting the "spin lock held too long" error message occasionally. It happens a few times a day, even while the unit is idle (no traffic flowing in/out).

#27

25.7, 25.10 Series / Re: Recommendation: Remove "bl...

Last post by DEC670airp414user - Today at 12:51:38 PM

are you using community or business edition?

i have used business edition for the use of my appliance and always used just the blocklist tab.  then check those i wanted to use.
the extended i never used?   

  should i be reconsidering this (it doesn't show Hagazi)   so it seems like a move backwards

#28

25.7, 25.10 Series / Re: Best upgrade path to 25.7....

Last post by Seimus - Today at 12:47:29 PM

I dont think there is any official path for this.
Adguard is a 3rd party community plugin.

The only official upgrade path is for OPNsense itself and thats set automatically by the devs.

What you can do is to save your current config. OPN as well Adguard. Upgrade and reinstall Adguard and import back the config.

Regards,
S.

#29

Intrusion Detection and Prevention / Re: How to enable via Policy a...

Last post by lukazy - Today at 12:28:06 PM

Do you not have to select the rulesets the policies get applied to?
Or does selecting none automatically mean it is applied to all?

[Pour ce qui est du GUI de connexion]

#30

French - Français / Redirections HTTP, HTTPS, FTP ...

Last post by nuxbsd - Today at 12:18:37 PM

Bonjour tout le monde,

Je suis passé sur OPNsense car avec mon ancien routeur il n'était plus possible de faire des update du firmware car celui-ci n'était plus maintenu.
Je faisait des redirection de port du WAN vers le LAN et tout fonctionnait très bien et au niveau configuration serveur rien n'a été modifié.
Avec OPNsense je rencontre certains problèmes.

Voici ce que j'ai fait sur OPNsense:

Pour ce qui est du GUI de connexion

• j'ai passé le port de connexion sur le 8443 au lieu du 443
• je fais écouter uniquement le 8443 sur l'interface LAN

Ce qui fonctionne
> à partir d'une IP publique

• 80 et 443 pointant sur une IP 192.168.1.14

Ce qui ne fonctionne pas
> à partir d'une IP publique vers le LAN

• la connexion FTP celle-ci ne fonctionne que dans le LAN il m'est impossible de joindre le serveur depuis l'extérieur

Ce qui ne fonctionne pas
> à partir d'une IP LAN vers l'IP publique de OPNsense:

• depuis une machine de mon LAN je n'arrive pas à accéder aux service 80 et 43 à partir d'une l'ip publique

Voici ce que j'ai dans les différentes parties:
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

Je me demande ce que j'ai oublié pour que ça ne fonctionne pas comme je l'aurais souhaité.
Pouvez-vous m'aider s'il vous plaît ?
Je vous remercie.
Cordialement.