"Recent posts
#21
General Discussion / Re: OPNsense DNS over TLS forw...
Last post by InvalidHandle - November 25, 2025, 05:29:21 PMThe Github report is here: github.com/NLnetLabs/unbound/issues/1379
#22
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by JMini - November 25, 2025, 05:26:16 PMI don't know what could be causing that DHCP non-renew issue. There are a lot of folks here way more experienced with this than I am.
Maybe start a new thread.
Maybe start a new thread.
#23
German - Deutsch / Re: Wireguard VPN Verbindung a...
Last post by meyergru - November 25, 2025, 05:13:59 PMNein, Du brauchst zusätzlich für die Regeln, um den Wireguard-Port zu erreichen auch noch Regeln für den Traffic, der den Tunnel verlässt.
Das ist Schritt 5 hier: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Das ist Schritt 5 hier: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
#24
General Discussion / FIB/VRF support in OPNsense
Last post by pfry - November 25, 2025, 04:34:27 PMThere have been a few discussions of this in the fora; I didn't see any relevant github requests.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
Interfaces:
Firewall:
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
- Settings:
- "net.fibs" in loader.conf. Not sure where to put this setting (General -> Networking, as "FIBs" or "VRFs"?). It would be used as an interlock for most of the settings below. Interlock behavior options: vanish/gray/do nothing/error on setting; zero/ignore fib settings when "net.fibs" is unconfigured.
- "net.add_addr_allfibs" - I would make this a tuneable, default 0. I'm not sure if this setting is still available, or if it will be in future versions.
- Gateways:
- Configuration:
- "fib" setting for the gateway.
- "fib" column (not selected by default) for the display. I would display data from all fibs, using "setfib n [command]", as n=0 should always be valid.
- Routes:
- Configuration:
- "fib" setting for the route.
- "fib" column for the display, as above.
- Status:
- "fib" column for the display, as above.
Interfaces:
- [Interface]:
- "fib": integer
Firewall:
- Automation:
- Filter:
- "fib" column for the display, as above. I would include this as the current display has lots of options.
- Rules:
- [Interface]:
- Interlock: for "Action" = Pass, "Direction" = In: "fib" (pf "rtable") setting: integer.
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
#25
German - Deutsch / Re: Wireguard VPN Verbindung a...
Last post by BeTZe313 - November 25, 2025, 04:32:30 PMIch habe in der OPNsense bei WAN, LAN und WG1 habe ich den Port 51820 für IN alles freigegeben.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
#26
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by franco - November 25, 2025, 03:52:28 PMIt's pretty interesting. I'll try to delete it when I see embedded links, but they mostly stick random stuff on here or repost old forum messages and only go back later and add links everywhere they already posted.
Cheers,
Franco
Cheers,
Franco
#27
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by meyergru - November 25, 2025, 01:51:55 PMSaw that only after it started advertising... damn AI slop.
#28
25.1, 25.4 Series / Re: Question about 2 vulnerabi...
Last post by franco - November 25, 2025, 01:32:43 PMYou both have been arguing with a bot :)
#29
25.7, 25.10 Series / Re: Problems Uploading Photos ...
Last post by AnthonyStark - November 25, 2025, 12:55:52 PMI was able to identify the issue. Contrary to the recommendations in the documentation - which I was not yet aware of at the time - I had mixed tagged and untagged VLANs on the switch port. All VLANs are now tagged, and the problem no longer occurs.
EDIT:
Too early, the problem unfortunately still occurs.
EDIT:
Too early, the problem unfortunately still occurs.
#30
General Discussion / Re: Site-2-Site VPN and additi...
Last post by tkrn - November 25, 2025, 12:53:45 PMI had a similar problem where I was just getting a single end point on my site-to-site VPN and I could not get a L3 subnet for a full route table between networks. My problem turned out to be that the common name has to match the client certificate which I issued to the other site. The common name did not match the common name within the certificate thus never applying the Client Specific Overrides which is the mechanism that pushes the routed subnets. As you expand the common name within Client Specific Overrides, it gave me the hint that "Enter the client's X.509 common name here."
After that was resolved, I forced a disconnect and it came back up as expected! Additionally, my OpenVPN role is SERVER, and type TUN, topology SUBNET. Let me know if you have any questions!
After that was resolved, I forced a disconnect and it came back up as expected! Additionally, my OpenVPN role is SERVER, and type TUN, topology SUBNET. Let me know if you have any questions!
