"Recent posts
#21
26.1 Series / Re: New rule system
Last post by OPNenthu - Today at 02:09:47 AM@tessus The "Automation" rules UI in 25.7 has been moved to "Rules [new]" in 26.1. The idea is that this UI (regardless of whether you use automation or not) will eventually replace the legacy Rules UI. I think what we're talking about here will eventually affect everyone, but not for a while.
What I'm hearing from the responses so far is that nothing changes except for the ability to set Floating rules on a single, specific interface. That is a loss in flexibility with the new rules system, but I don't know if it will be a big deal or not. If that doesn't affect you then you can happily use the new system.
I don't think anything is changed in the old rules system so if you're still using that you're good for now. The concerns people had around NAT and rule order impacts were regarding the new rules system and those turned out to be incorrect as @meyergru explained to me.
What I'm hearing from the responses so far is that nothing changes except for the ability to set Floating rules on a single, specific interface. That is a loss in flexibility with the new rules system, but I don't know if it will be a big deal or not. If that doesn't affect you then you can happily use the new system.
I don't think anything is changed in the old rules system so if you're still using that you're good for now. The concerns people had around NAT and rule order impacts were regarding the new rules system and those turned out to be incorrect as @meyergru explained to me.
#22
25.7, 25.10 Series / RAM usage
Last post by gmartin - Today at 01:48:50 AMI'm running 25.11 as a vm under proxmox. Underlying CPU is a Intel N5105 and the only other VM is running pihole. I'd appreciate any recommendations on how to configure RAM. I have a 400Mb internet connection. Heaviest use is a torrent client with many active connections. I stream hulu and share plex with a couple folks but internet usage is generally sub 100Mb.
Currently I've assigned it 4GB and per top it is using 2GB of swap. Here are the top stats:
is the 4GB adequate? Could it be "too much"?
Could I assign it 2GB and baloonm to 4GB?
Appreciate any thoughts you have.
\\Greg
Currently I've assigned it 4GB and per top it is using 2GB of swap. Here are the top stats:
Code Select
last pid: 58271; load averages: 0.15, 0.19, 0.21 up 0+02:59:52 19:33:53
65 processes: 1 running, 64 sleeping
CPU: 0.8% user, 0.0% nice, 0.1% system, 0.4% interrupt, 98.8% idle
Mem: 202M Active, 2333M Inact, 467M Laundry, 610M Wired, 393M Buf, 290M Free
ARC:
Swap: 9979M Total, 2063M Used, 7916M Free, 20% Inuseis the 4GB adequate? Could it be "too much"?
Could I assign it 2GB and baloonm to 4GB?
Appreciate any thoughts you have.
\\Greg
#23
Portuguese - Português / Re: Comunidade - Língua Portug...
Last post by gabrielf3 - Today at 12:49:11 AMMe chamo Gabriel Ferreira, sou de Aracaju - Sergipe.
Trabalho com o OPNSense profissionalmente desde 2025, já implantei em várias empresas aqui na Cidade.
Gostaria de ajudar ainda mais, no fortalecimento da comunidade.
Trabalho com o OPNSense profissionalmente desde 2025, já implantei em várias empresas aqui na Cidade.
Gostaria de ajudar ainda mais, no fortalecimento da comunidade.
#24
Hardware and Performance / Re: SFP+ to RJ45 slow WAN spe...
Last post by nero355 - Today at 12:48:58 AMQuote from: pfry on January 26, 2026, 10:16:11 PMThat doesn't seem to be that bad : Those things can go to 50/60 degrees Celsius easily!Code Selectmodule temperature: 27.90 C voltage: 3.35 Volts
Some other things you should know :
- It wouldn't be the first time a Ubiquiti UniFi Switch has issues with buffering 10 Gbps traffic...
- They also do not like Shielded CAT5e/CAT6a cables !!
- SFP+ to RJ45 modules like to have 2 slots next to them free to avoid overheating !!
Good luck! :)
#25
General Discussion / Re: GeoIP not working
Last post by buckey96 - Today at 12:42:49 AMQuote from: Patrick M. Hausen on Today at 12:36:09 AMCan you connect to ipinfo.io via HTTPS?
Yes. And I can download all the different zip files from the links with zero problems. I'm absolutely stymied on how to get this to work.
I've also tried changing GEOIP to host and then going through everything
I've changed IPV4 & IPV6 to just IPV4
I've deleted the alias and tried to just put the URL in, with no luck on any of these
#26
General Discussion / Re: GeoIP not working
Last post by Patrick M. Hausen - Today at 12:36:09 AMCan you connect to ipinfo.io via HTTPS?
#27
General Discussion / Re: GeoIP not working
Last post by buckey96 - Today at 12:33:17 AMQuote from: Patrick M. Hausen on Today at 12:19:09 AMWhat I tried to express: remove the "_src=" parameter from the IPinfo URL to make it match mine and try again. This URL works without a hitch here. I have no idea what this "_src=" thingy is good for.Thanks, I tried without the "src" and matched your URL and still no luck.
I even tried suggestions from this reddit post
https://www.reddit.com/r/opnsense/comments/1lr6yu5/maxmind_no_longer_provide_geolite_database/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
and got the same error
#28
Virtual private networks / Re: Questions to Migrate OpenV...
Last post by DanVsTheUniverse - Today at 12:20:39 AMQuote from: wewall on March 31, 2024, 05:31:49 PMQuote from: teo88 on February 02, 2024, 09:35:53 AMOld Configuration:
Interface: WAN
New Configuration:
Bind Address:
I also don't understand what the design decision is behind not being able to select an interface for binding.
I would be particularly interested what are the recommended settings if I want to bind an OpenVPN instance (client) to only one specific WAN interface with dynamic IP?
In the case of a dynamic WAN IP what bind address should be entered at all?
2 years late with this but posting in case anyone else is looking for a solution. I had exactly the same problem - my notes and solution below (dodgy hack using PBR firewall rule and NAT). Trying to move everything over last minute before the legacy VPN config is deprecated....
Old 'legacy' setup had an option to select an interface for a client VPN. So you can have an OpenVPN client configured on OPNsense, force it via a specific WAN, and that traffic will stay on that WAN.
Probably a very specific situation to people using multi-WAN who want VPN client traffic to stay on the secondary WAN, so their primary WAN is dedicated to non-VPN traffic.
That's no longer straightforward with instances, however it is possible with a dodgy workaround :)
1. Configure the client as normal, verify it connects. Assign the OpenVPN interface itself (the device), configure the gateway and whatever else you would've done anyway.
2. Add a floating rule:
Firewall → Rules → Floating → Add
Direction: out
Interface: WAN1, WAN2 (you want this on BOTH interfaces, so it matches VPN traffic going out via either)
Quick: checked (IMPORTANT, otherwise default rules are hit first and this wont apply)
Action: Pass
Proto: UDP
Source: This Firewall
Destination: <vpn server dest IP> IP address of the destination server (remote) address configured in the VPN client.
You can use an alias with multiple IP if needed, if you do, use this in the NAT rule as well.
Port: 1194
Gateway: WAN2_Gateway (whatever this is named, mine is WAN2_DHCP)
Description: PBR: Re-route OpenVPN to WAN2
3. Now if you go to Firewall > Log Files > Live View, filter on "dstport" 1194.
In another tab, go to VPN > OpenVPN > Instances. Make sure the client is enabled.
Go to VPN > OpenVPN > Connection Status, restart the client to get it to connect.
Refresh and it's probably stuck waiting.
Back in the Live View tab, you'll see it hit the rule, with the description, HOWEVER the IP will likely be the WAN1 IP. That will never work as it's now routing traffic over WAN2, with the WAN1 IP applied as source via NAT.
4. FIX: NAT rule
Go to Firewall > NAT > outbound
New rule:
Interface: WAN1
TCP/UDP Version: IPv4
Source: This Firewall
Source port: *
Destination:
Single host or Network
Address: <vpn server dest IP> (same as in the Floating firewall rule)
Destination port: 1194
Translation / target:
Address: WAN2 address
Port: static-port enabled (important for OpenVPN/UDP)
Description: PBR force OpenVPN to WAN2 (NAT)
This rule will match the traffic when it tries to exit WAN1, apply the NAT as IP of WAN2, then the PBR rule will hit and redirect to exit via WAN2 - everything matches.
Now re-start the VPN client, check the live log again, and with any luck you should now see it using the WAN2 IP, and hitting the PBR ACL rule :)
It should connect!
If you then replace the <vpn server dest IP> with an alias, then the only thing to change if you update the VPN remote server is the alias, and all rules are sorted.
Not ideal that something so basic requires this complexity but good old policy based routing and NAT allow for this dodgy workaround! If anyone knows another way around this, would be good to know. This removes the need the configure a static WAN IP binding in the VPN client which is rubbish if yours is dynamic (as are most non-business WAN IP), and that also doesn't seem to work properly for client instances anyway.
#29
General Discussion / Re: GeoIP not working
Last post by Patrick M. Hausen - Today at 12:19:09 AMWhat I tried to express: remove the "_src=" parameter from the IPinfo URL to make it match mine and try again. This URL works without a hitch here. I have no idea what this "_src=" thingy is good for.
#30
26.1 Series / Re: New rule system
Last post by tessus - Today at 12:15:56 AMThanks for the all the replies. I am still trying to understand how the new interface will look like. Are there annotated before/after screenshots for all the changes available? I have read the link Franco provided about the processing order when I started to use OPNsense (many yers ago), but since I do not use "Rule Automation", the overall processing order documentation was much more helpful to me back then.
While I could glean that the changes mostly pertain to the automation rules and UI, a bunch of posts suggested that the order of other rules (interface, floating, NAT) will change with 26.1.
If this is not the case and if everything will still work without changes when I do not use automation, this can be closed from my side. (Although I am still interested in the current discussion about automation as well.)
However, if there's anything in the UI and/or processing order that will change for anything but automation, I would like to repeat my question: how exactly does it change and what is the difference to the current UI and/or processing order?
While I could glean that the changes mostly pertain to the automation rules and UI, a bunch of posts suggested that the order of other rules (interface, floating, NAT) will change with 26.1.
If this is not the case and if everything will still work without changes when I do not use automation, this can be closed from my side. (Although I am still interested in the current discussion about automation as well.)
However, if there's anything in the UI and/or processing order that will change for anything but automation, I would like to repeat my question: how exactly does it change and what is the difference to the current UI and/or processing order?
