"Recent posts
#21
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by gerardo - Today at 02:16:48 AMOk, solved by adding a custom rule to allow any LAN IP to hit the specific redirected host, which is nginx proxy mgr. All the other hosts are still inaccessible behind npm.
#22
25.7, 25.10 Series / Re: NAT reflection rules being...
Last post by gerardo - Today at 01:57:54 AMI've got the exactly same problem after I upgraded to the latest version (from a year ago).
#23
25.7, 25.10 Series / Re: Pointing to adguard DNS se...
Last post by mpoldphone191 - Today at 01:05:49 AMNot sure why Unbound isn't sending the requests to the other server, I would check to see if the Opnsense instance can hit the other AdGuard server. Easy way to do that is to open a Shell in Opnsense then do a dig command to do a DNS query. The command line should be something along the lines of dig @IP of Adguard hp.com, though that is the Linux command so I am unsure if it will work in BSD. If it can't communicate then check the Opnsense and local firewall settings.
The way I would prefer to do it is change the DNS server in the DHCP settings to issue the AdGuard IP to your clients. This will point all devices that request an IP to use the AdGuard IP, the nice thing about this is that the AdGuard logs will show the source IP of the query instead of the OpnSense IP to make troubleshooting other issues easier. The setting will in the DHCP Server settings in services.
If you don't want to change it in DHCP you can alternatively set it on the OS to use a certain one, though this is not recommended for mobile devices since it will try to use your IP server when you connect to other networks.
The way I would prefer to do it is change the DNS server in the DHCP settings to issue the AdGuard IP to your clients. This will point all devices that request an IP to use the AdGuard IP, the nice thing about this is that the AdGuard logs will show the source IP of the query instead of the OpnSense IP to make troubleshooting other issues easier. The setting will in the DHCP Server settings in services.
If you don't want to change it in DHCP you can alternatively set it on the OS to use a certain one, though this is not recommended for mobile devices since it will try to use your IP server when you connect to other networks.
#24
General Discussion / Re: [solved] pf ruleset causin...
Last post by OPNenthu - Today at 12:25:15 AMI did also drop a note in the Hardware section topic to correct the record :)
#25
General Discussion / Re: [solved] pf ruleset causin...
Last post by nero355 - Today at 12:15:11 AMQuote from: Patrick M. Hausen on December 27, 2025, 05:26:26 PMTrueNAS does not support policy routing so if you have network interfaces in different networks it will always answer any client fromWhat is TrueNAS based on these days ?!
- the directly connected one, if present
- the one with the default gateway, otherwise
Specifically there is no separation of the UI and the file sharing services. Not possible, don't try it, you will fail.
First it was FreeBSD and then they switched to Linux as far as I know ?
Sounds like very bad decisions were made the last couple of years if it for example doesn't have SystemD and it's Policy Routing/Source Based Routing onboard like you would expect it to have...
Quote from: Patrick M. Hausen on December 28, 2025, 10:30:30 AMYou can bind different services to different interfaces, of course. But if your management desktop and TN share a common network and you define "management" to be a different one to be accessed through a firewall, TN will send the replies through the common network bypassing the firewall, because that's how routing works.I had that issue (A-Symmetrical Routing blocked by the OPNsense Default Block Rule) after switching from my old Ubiquiti USG 3P Router to OPNsense and solved it via SystemD Network Configuration for :
eth0
eth0.10 VLAN
eth0.any other VLAN
Now my Traffic is no longer blocked when accessing this Multi-VLAN Interface device from VLAN 10 to it's Management eth0 address and my SSH connection for example doesn't time out! :)
QuoteA separate storage network for e.g. iSCSI assumes that all clients and the TN server share that network, so no asymmetric routing occurs. That of course is perfectly reasonable. Same for e.g. NFS for VMware.As long as you keep things 1:1 connected in the same subnet there are no issues indeed :)
QuoteBut placing mangement in a separate network does not work unless the management station is in that same network. Just like with the storage examples.Unless you can manipulate the Routing Table on the device you are accessing ofcourse!
Quote from: OPNenthu on December 29, 2025, 11:27:32 PMit seems I may have misjudged the AQC113 NIC earlier.I hope so too for you, because I have just read your other topic about the NIC and I am really disappointed that the driver support is not all that great/how it should be or could have been...
Look like the AQC113 is so far not falling down :)
Hope this keeps up.
It was soo promising when it was announced many years ago : Just € 95 for a 1 port 10 Gbps NIC with RJ45 was WOW!!! at the time!
#26
25.7, 25.10 Series / Re: Upgrade version discrepanc...
Last post by erwinvanlonden - Today at 12:07:44 AMQuote from: franco on December 22, 2025, 08:10:28 AMYou're not posting your update attempt logs here either. I'm not sure how to help in that case other than give moral rubber duck support. ;)
Cheers,
Franco
Hello Franco,
Apologies for the late reply. Attached is the last report I got when doing an audit on the upgrade. Not sure what to make of this. I'm just trying to figure out why the Status and Changelog page shows that I'm on the latest version but when the "Check Update" has ran the result is that Opnsense thinks I'm still on 25.7.8
Code Select
Type opnsense
Version 25.7.10
Architecture amd64
Commit c2f076f30
Mirror https://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:14:amd64/25.7
Repositories OPNsense (Priority: 11)
Updated on Fri Dec 19 17:20:40 AEST 2025
Checked on Tue Dec 30 08:22:05 AEST 2025
Code Select
Version Date
25.7.10 (installed) 2025-12-18
25.7.9 2025-12-04
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.7.10 (amd64) at Tue Dec 30 09:00:56 AEST 2025
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/195380 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 928 packages processed.
All repositories are up to date.
Checking for upgrades (82 candidates): .......... done
Processing candidates (82 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
When this finishes I see this.
Code Select
Package name Current version New version Required action Repository
base 25.7.8 25.7.10 upgrade OPNsense
kernel 25.7.8 25.7.10 upgrade OPNsense
#27
25.7, 25.10 Series / Re: Dashboard/WebGUI slows, ha...
Last post by ChrisChros - December 29, 2025, 11:55:48 PMI experience the same with the Chrome Browser on my MacBook. With Safari I have no issues.
I deleted all widgets and start rebuilding when I recognized that Chrome will hang up also when I move the widgets.
At the moment Chrome is not usable with the new WebUi.
I deleted all widgets and start rebuilding when I recognized that Chrome will hang up also when I move the widgets.
At the moment Chrome is not usable with the new WebUi.
#28
Hardware and Performance / Re: Adapts to Marvell AQC113C-...
Last post by OPNenthu - December 29, 2025, 11:41:26 PMI think I was premature with my observation because of a routing issue that @Patrick M. Hausen has clarified for me. I now have the AQC113 working in a layered setup under a Linux machine. Hopefully the FreeBSD support will also be in a good place.
#29
General Discussion / Re: Fresh install blocking mos...
Last post by Petski - December 29, 2025, 11:29:30 PMcoffeecup25,
I agree about the Cisco switch but I got it cheap and needed at least 16 ports. Yes, it is factory reset and in dumb switch mode with the only change being to move the management GUI address to be within my DHCP range.
When I tried to use KEA, the MAC address binding table appeared to be ignored and all ports were assigned dynamically. Since I have spent many days just to get where I am now, I'm reluctant to attempt switching back to KEA again... Does dnsmasq allow for the same DNS override? What I want is for the DHCP portion of dnsmasq to tell the clients that PiHole (Statically positioned within my subnet) is the primary DNS serve. Right now, it is sending clients the OPNsense gateway address (192.168.1.1) which subsequently gets forwarded on to PiHole. Currently my only drawback is that PiHole's statistics are all pointing to the single gateway address instead of breaking up the statistics based on which client is requesting.
Another observation I made was that in order for the MAC address reservations to take effect, I had to power cycle every client. Rebooting OPNsense had no effect. I never had this issue or this much trouble when using the old Cisco router.
I agree about the Cisco switch but I got it cheap and needed at least 16 ports. Yes, it is factory reset and in dumb switch mode with the only change being to move the management GUI address to be within my DHCP range.
When I tried to use KEA, the MAC address binding table appeared to be ignored and all ports were assigned dynamically. Since I have spent many days just to get where I am now, I'm reluctant to attempt switching back to KEA again... Does dnsmasq allow for the same DNS override? What I want is for the DHCP portion of dnsmasq to tell the clients that PiHole (Statically positioned within my subnet) is the primary DNS serve. Right now, it is sending clients the OPNsense gateway address (192.168.1.1) which subsequently gets forwarded on to PiHole. Currently my only drawback is that PiHole's statistics are all pointing to the single gateway address instead of breaking up the statistics based on which client is requesting.
Another observation I made was that in order for the MAC address reservations to take effect, I had to power cycle every client. Rebooting OPNsense had no effect. I never had this issue or this much trouble when using the old Cisco router.
#30
General Discussion / Re: My pf ruleset causing clie...
Last post by OPNenthu - December 29, 2025, 11:27:32 PMThanks again, Patrick. This little bit of new understanding made all the difference and it seems I may have misjudged the AQC113 NIC earlier. I got the layered setup working, finally.
Since they're asymmetrical I bonded them in active/backup with the 10GbE member as primary. Then I added br1 for native access (in case I want some VMs or UniFi OS on there later) and assigned it the main IP. Then added a few VLANs on the bond and separate bridges for each VLAN. Finally assigned an IP to br30 and bound the web UI to this as well (at least temporarily), so now I'm able to access it from my client network for configuration changes without any hiccups.
If I did this correctly with the separate bridges, then there shouldn't be any RA spillover when I enable IPv6 auto-config in TN.
I don't have a 10GbE client to test with, but I'm at least able to saturate a 2.5GbE link from my client to the NAS using iperf3:
Look like the AQC113 is so far not falling down :) Hope this keeps up.
Since they're asymmetrical I bonded them in active/backup with the 10GbE member as primary. Then I added br1 for native access (in case I want some VMs or UniFi OS on there later) and assigned it the main IP. Then added a few VLANs on the bond and separate bridges for each VLAN. Finally assigned an IP to br30 and bound the web UI to this as well (at least temporarily), so now I'm able to access it from my client network for configuration changes without any hiccups.
Code Select
truenas_admin@truenas[~]$ ip -brief a
lo UNKNOWN 127.0.0.1/8 ::1/128
enp6s0 UP
enp3s0 UP
bond1 UP fe80::<redacted>:4109/64
vlan20@bond1 UP fe80::<redacted>:4109/64
vlan30@bond1 UP fe80::<redacted>:4109/64
vlan60@bond1 UP fe80::<redacted>:4109/64
br1 UP 192.168.1.118/24 fe80::<redacted>:850b/64
br20 UP fe80::<redacted>:9746/64
br30 UP 172.21.30.118/24 fe80::<redacted>:435e/64
br60 UP fe80::<redacted>:952c/64
If I did this correctly with the separate bridges, then there shouldn't be any RA spillover when I enable IPv6 auto-config in TN.
I don't have a 10GbE client to test with, but I'm at least able to saturate a 2.5GbE link from my client to the NAS using iperf3:
Code Select
$ iperf3 -c truenas.clear.h1.internal
Connecting to host truenas.clear.h1.internal, port 5201
[ 5] local 172.21.30.100 port 46912 connected to 172.21.30.118 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 283 MBytes 2.37 Gbits/sec 0 311 KBytes
[ 5] 1.00-2.00 sec 281 MBytes 2.36 Gbits/sec 0 291 KBytes
[ 5] 2.00-3.00 sec 281 MBytes 2.36 Gbits/sec 0 297 KBytes
[ 5] 3.00-4.00 sec 280 MBytes 2.35 Gbits/sec 0 303 KBytes
[ 5] 4.00-5.00 sec 280 MBytes 2.35 Gbits/sec 0 294 KBytes
[ 5] 5.00-6.00 sec 281 MBytes 2.36 Gbits/sec 0 300 KBytes
[ 5] 6.00-7.00 sec 280 MBytes 2.35 Gbits/sec 0 291 KBytes
[ 5] 7.00-8.00 sec 280 MBytes 2.35 Gbits/sec 0 291 KBytes
[ 5] 8.00-9.00 sec 281 MBytes 2.36 Gbits/sec 0 294 KBytes
[ 5] 9.00-10.00 sec 281 MBytes 2.35 Gbits/sec 0 291 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.74 GBytes 2.36 Gbits/sec 0 sender
[ 5] 0.00-10.00 sec 2.74 GBytes 2.35 Gbits/sec receiver
Look like the AQC113 is so far not falling down :) Hope this keeps up.
