"Recent posts
#21
General Discussion / Re: How to set limited bandwif...
Last post by Arno - Today at 03:11:48 PMYes. I thought so too.
But when I download a file from the computer with limited bandwidth it does not show up on the stats page (0 bytes accessed 1970-01-01T01:00:00).
The pipes and the rules are on the stats page.
So, or the docs/configuration has to be changed, or Shaper does not function as it should.
But when I download a file from the computer with limited bandwidth it does not show up on the stats page (0 bytes accessed 1970-01-01T01:00:00).
The pipes and the rules are on the stats page.
So, or the docs/configuration has to be changed, or Shaper does not function as it should.
#22
Zenarmor (Sensei) / Re: How to Install and Configu...
Last post by fine77 - Today at 03:11:43 PMi know this is an old thread but i have some mature issues on my opnsense backup node.
The primary node is nearly running perfect i've done the enrollment like its mentioned at the crowdsec page on both systems.
Both nodes are not really communicate to my firewalls from the portal and the backup node strangly gets 403 forbidden after one minute of trying.
i can not get it to run perfectly.
I've read, that they have additional blacklists integrated because of loop installs which wastes there ressources.
The primary node is nearly running perfect i've done the enrollment like its mentioned at the crowdsec page on both systems.
Both nodes are not really communicate to my firewalls from the portal and the backup node strangly gets 403 forbidden after one minute of trying.
i can not get it to run perfectly.
I've read, that they have additional blacklists integrated because of loop installs which wastes there ressources.
#23
General Discussion / [Noob question] - DNS Cache
Last post by Taxickdk - Today at 03:07:32 PMHi :)
I'm totally new to OpenSense, and I have a beginner question.
Is there somekind of DNS Cache in OpenSense? If yes! How can I disable it or reset it?
My sites dont resolved from my PC´s behind the OpenSense network!
If I use my mobile and disable the Wifi, it resolves fine
Regards
Thomas
I'm totally new to OpenSense, and I have a beginner question.
Is there somekind of DNS Cache in OpenSense? If yes! How can I disable it or reset it?
My sites dont resolved from my PC´s behind the OpenSense network!
If I use my mobile and disable the Wifi, it resolves fine
QuoteVersions
OPNsense 25.7.11_2-amd64
FreeBSD 14.3-RELEASE-p7
OpenSSL 3.0.18
Regards
Thomas
#24
25.7, 25.10 Series / Re: After updating Opnsense fr...
Last post by allenlook - Today at 02:55:25 PMDisabled IDS yesterday and memory utilization dropped to 50% of the 8GB.
Left it on overnight, and this morning memory and swap were both over 85% consumed.
Restarted host discovery service for grins and memory dropped to 40% and is climbing back up, currently 50% memory and 30% swap. System rarely used swap before now.
Left it on overnight, and this morning memory and swap were both over 85% consumed.
Restarted host discovery service for grins and memory dropped to 40% and is climbing back up, currently 50% memory and 30% swap. System rarely used swap before now.
#25
26.1 Series / Re: Upgrade to RC1 successful
Last post by franco - Today at 02:49:18 PMI haven't seen the migration config diff so I can't say anything definite about it yet.
The migration has to assume all radvd servers found in the config.xml are in use when not disabled. The code for track6 and manual override option on top of radvd burried in ISC-DHCPv6 server settings is not easy to follow and may even have been wrong historically in some spots. So if you set a radvd entry for an interface at some point but it was disabled for interface settings specific reasons it may come back as enabled even if the code was previously treating it as not being started although set to enabled (not adhering to the specific configuration, but the overall interface IPv6 config). It's a complicated situation we're trying to untangle here.
Cheers,
Franco
The migration has to assume all radvd servers found in the config.xml are in use when not disabled. The code for track6 and manual override option on top of radvd burried in ISC-DHCPv6 server settings is not easy to follow and may even have been wrong historically in some spots. So if you set a radvd entry for an interface at some point but it was disabled for interface settings specific reasons it may come back as enabled even if the code was previously treating it as not being started although set to enabled (not adhering to the specific configuration, but the overall interface IPv6 config). It's a complicated situation we're trying to untangle here.
Cheers,
Franco
#26
26.1 Series / Re: PF rejects UUID overload t...
Last post by daygle - Today at 02:47:13 PMQuote from: Monviech (Cedrik) on Today at 01:38:30 PMHello thanks for the report we are looking into it.
Thank you.
Also related, the migration firewall rules import failed due to the same issue. Export of old firewall rules produced alias names rather than uuids. The only way I was able to import was to remove the overload table alias names from the csv.
#27
26.1 Series / Re: PF rejects UUID overload t...
Last post by Monviech (Cedrik) - Today at 01:38:30 PM #28
26.1 Series / PF rejects UUID overload table...
Last post by daygle - Today at 01:11:11 PMAfter upgrading to OPNsense 26.1, PF is refusing to load the ruleset whenever a firewall rule uses rate‑limit / max‑src‑conn‑rate options.
The overload table names appear to be UUIDs, which exceed PF's maximum table‑name length.
This results in PF rejecting the entire ruleset.
Error output:
There were error(s) loading the rules: /tmp/rules.debug:317:
table name 'cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1' too long
The line in question reads [317]:
pass in quick on igc0 inet proto tcp from {any} to $ssh_ipv4 port {22}
keep state ( max 100 max-src-nodes 50 max-src-conn 20 max-src-states 3
tcp.established 300 max-src-conn-rate 2 /60,
overload <cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1> flush global )
label "4622edd3-7c20-497c-ba73-8c044b3cfcca" # SSH/RL/IPv4
Multiple similar UUID‑style table names are generated for other rules with rate‑limit settings, and PF rejects all of them.
Steps to reproduce
1. Create a firewall rule (e.g., SSH on WAN)
2. Open Advanced Options
3. Enable - Max src‑conn‑rate and Overload table alias.
4. Apply changes
5. PF fails to load ruleset with "table name too long"
For those who have the same issue - you can remove the overload alias from the rule until a fix has been applied.
The overload table names appear to be UUIDs, which exceed PF's maximum table‑name length.
This results in PF rejecting the entire ruleset.
Error output:
There were error(s) loading the rules: /tmp/rules.debug:317:
table name 'cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1' too long
The line in question reads [317]:
pass in quick on igc0 inet proto tcp from {any} to $ssh_ipv4 port {22}
keep state ( max 100 max-src-nodes 50 max-src-conn 20 max-src-states 3
tcp.established 300 max-src-conn-rate 2 /60,
overload <cc63f2df-3dc0-4fe5-a002-b8e7a2d5ade1> flush global )
label "4622edd3-7c20-497c-ba73-8c044b3cfcca" # SSH/RL/IPv4
Multiple similar UUID‑style table names are generated for other rules with rate‑limit settings, and PF rejects all of them.
Steps to reproduce
1. Create a firewall rule (e.g., SSH on WAN)
2. Open Advanced Options
3. Enable - Max src‑conn‑rate and Overload table alias.
4. Apply changes
5. PF fails to load ruleset with "table name too long"
For those who have the same issue - you can remove the overload alias from the rule until a fix has been applied.
#29
26.1 Series / Re: New rule system
Last post by keeka - Today at 12:50:28 PMI take your point. If on the other hand you have only known ASNs or subnets that you wish to allow, Pass would seem OK. But I am now feeling cautious about mixing Pass forward rules with those requiring explicit filter rules. It starts to feel messy.
#30
26.1 Series / Re: New rule system
Last post by Patrick M. Hausen - Today at 12:33:46 PMQuote from: keeka on Today at 12:27:15 PM- source/destination criteria in the port forward rule will serve as the filtering criteria.
Sure. Only thing is this is getting increasingly difficult in a single rule - regardless of NAT or filtering. Picture on WAN:
block all known bad actors: free block lists, Q-Feeds, Crowdsec, ...
permit inbound from GeoIP Europe but block everyone else
In a single rule you can have either source invert or not. You cannot combine in this fashion e.g.
allow from (not (bad actors)) and (GeoIP Europe)
You can of course
block from (bad actors) and (GeoIP except Europe)
only that the second variant generates an alias with orders of magnitude more entries.
So for me essentially "pass" is dead and I need two rules, one block, one allow.
