"Recent posts
#21
General Discussion / QEMU NAT with Opnsense
Last post by August8828 - January 14, 2026, 07:33:07 PMHello,
unfortunately I have problems get the NAT option with QEMU on my Linux host running. I use Linux as my main OS and it seems like I can not establish a connection over my VMs which use the NAT option.
For NAT, I got assigned the 192.168.122.0/24 network. I can ping it from my Linux host. Unfortunately, when creating either a Linux or Windows VM, the network can not get established and I do not get why. Regarding the routing table, it should use the 192.168.100.1/24 as gateway.
I also use VLANs in my network. X.X100.0/24 is my management VLAN.
Do you have an idea why this is not working?
unfortunately I have problems get the NAT option with QEMU on my Linux host running. I use Linux as my main OS and it seems like I can not establish a connection over my VMs which use the NAT option.
For NAT, I got assigned the 192.168.122.0/24 network. I can ping it from my Linux host. Unfortunately, when creating either a Linux or Windows VM, the network can not get established and I do not get why. Regarding the routing table, it should use the 192.168.100.1/24 as gateway.
I also use VLANs in my network. X.X100.0/24 is my management VLAN.
Do you have an idea why this is not working?
#22
General Discussion / Re: Mysterious "sendto: Permis...
Last post by Patrick M. Hausen - January 14, 2026, 07:14:01 PMNext time try to clear the firewall states instead of rebooting.
#23
German - Deutsch / Re: Umstellung auf IPsec Conne...
Last post by osmom - January 14, 2026, 07:11:32 PMQuote from: viragomann on January 14, 2026, 06:11:21 PMQuote from: osmom on January 14, 2026, 04:18:52 PMBei den neuen Connections wird ESP nicht mehr unterstüzt.Das glaub ich nicht. Da würde meine VPN auch nicht mehr funktionieren.
-> Dann muss ich nochmals schauen.
In der Remote muss auf jeden Fall EAP Radius rein, wenn der Prozess den NPS nutzen soll.
Und in VPN: IPsec: Mobile & Advanced Settings > eap-radius muss dieser ausgewählt werden.
-> Ja ist in VPN: IPsec: Mobile & Advanced Settings > eap-radius eingetragen.
In Remote wird konfiguriert, wie sich der Client beim Server authentifiziert.
In Local, wie sich der Server beim Client authentifiziert.
#24
Zenarmor (Sensei) / Upgraded to newer version of Z...
Last post by kwo1 - January 14, 2026, 06:55:16 PMHi,
Since December of last year, I've been troubleshooting what I originally thought was an OPNsense upgrade issue, but I have now instead determined to be a Zen Armor-specific upgrade issue.
My current OPNsense setup:
I was on Zen Armor version 2.1.1. If I upgrade to the newest version available, currently 2.3.2, I can no longer reach the OPNsense web URL https://192.168.2.251. I've included screenshots below which shows the live sessions page, before and after the upgrade. Before the upgrade, you can see my workstation (192.168.2.99) is able to reach the web URL of .251. After the upgrade, the workstation is blocked from accessing the same .251 IP. Besides upgrading Zen Armor, nothing else changed. I did not make any changes to the policy, the IPs, firewall rules, nothing at all.
You cannot view this attachment.
You cannot view this attachment.
I don't think this is specific to the latest version of Zen Armor. I only know that it began with a version after 2.1.1.
Post-upgrade, if I turn off "Block all internet access" on my MGMT_Policy, my workstation (192.168.2.99) can once again access https://192.168.2.251.
Can someone provide insight as to why an upgrade to Zen Armor would change the behavior of the policy?
Thank you
Since December of last year, I've been troubleshooting what I originally thought was an OPNsense upgrade issue, but I have now instead determined to be a Zen Armor-specific upgrade issue.
My current OPNsense setup:
- Multiple interfaces - LAN, MGMT, WAN
- Zen Armor has been installed since late summer 2025
- The MGMT network has its own Zen Armor policy assigned to it named MGMT_Policy, which has "Block all internet access" turned ON.
- I manage OPNsense through it's MGMT interface IP - https://192.168.2.251/
I was on Zen Armor version 2.1.1. If I upgrade to the newest version available, currently 2.3.2, I can no longer reach the OPNsense web URL https://192.168.2.251. I've included screenshots below which shows the live sessions page, before and after the upgrade. Before the upgrade, you can see my workstation (192.168.2.99) is able to reach the web URL of .251. After the upgrade, the workstation is blocked from accessing the same .251 IP. Besides upgrading Zen Armor, nothing else changed. I did not make any changes to the policy, the IPs, firewall rules, nothing at all.
You cannot view this attachment.
You cannot view this attachment.
I don't think this is specific to the latest version of Zen Armor. I only know that it began with a version after 2.1.1.
Post-upgrade, if I turn off "Block all internet access" on my MGMT_Policy, my workstation (192.168.2.99) can once again access https://192.168.2.251.
Can someone provide insight as to why an upgrade to Zen Armor would change the behavior of the policy?
Thank you
#25
German - Deutsch / Re: Hardware Suche N150 mit In...
Last post by meyergru - January 14, 2026, 06:40:05 PMDu bekommst bei Amazon solche Mini-Firewalls als Barebones zwar für < 200€. Leider sind inzwischen die Preise für RAM stark gestiegen, weshalb Modelle mit RAM und SSD meist bei > 300€ landen. Der billigste 8 GByte SODIMM DDR5 kostet schon ca. 100€, eine 256 GByte SSD ca. 50€ - unter 300€ wirst Du wohl nur noch gebraucht landen.
Es gibt aber manche Modelle mit N100 (kaum langsamer), die noch DDR4 einsetzen, dann wird es etwas billiger:
https://www.amazon.de/dp/B0F5GJ2JHP
https://www.amazon.de/dp/B09F4CT8LV
https://www.amazon.de/dp/B07BL2WXB9
Ich habe auch einen mit N150 gefunden: https://www.amazon.de/dp/B0FCY3CFW7, allerdings sieht die Kühlung da schlechter aus.
Ich würde immer die Selbstaufrüstung vorziehen, weil Du dann keine No-Name-Bauteile bekommst.
Es gibt aber manche Modelle mit N100 (kaum langsamer), die noch DDR4 einsetzen, dann wird es etwas billiger:
https://www.amazon.de/dp/B0F5GJ2JHP
https://www.amazon.de/dp/B09F4CT8LV
https://www.amazon.de/dp/B07BL2WXB9
Ich habe auch einen mit N150 gefunden: https://www.amazon.de/dp/B0FCY3CFW7, allerdings sieht die Kühlung da schlechter aus.
Ich würde immer die Selbstaufrüstung vorziehen, weil Du dann keine No-Name-Bauteile bekommst.
#26
General Discussion / [SOLVED Mysterious "sendto: P...
Last post by akurmann - January 14, 2026, 06:36:06 PMHi,
Did you ever solve the problem? I had the same problem after I have added some new firewall rules, that ping to an external ip address like 8.8.8.8 did not work any more, i.e. I got also "sendto: Permission denied"
Solution: I have just rebooted OpnSense and the problem has vanished.
I have noticed, that the firewall of OpnSense does sometimes not work properly anymore after having done some (more than 5) changes to the firewall rules. A reboot always helps.
Andreas
Did you ever solve the problem? I had the same problem after I have added some new firewall rules, that ping to an external ip address like 8.8.8.8 did not work any more, i.e. I got also "sendto: Permission denied"
Solution: I have just rebooted OpnSense and the problem has vanished.
I have noticed, that the firewall of OpnSense does sometimes not work properly anymore after having done some (more than 5) changes to the firewall rules. A reboot always helps.
Andreas
#27
General Discussion / Looking for local Minnesota co...
Last post by ericlandfill - January 14, 2026, 06:29:02 PMHey All,
I've got a burgeoning industrial facility that wants to setup a new fiber network with two sites to start, along with several VLANs. I've got a enough skills to be dangerous but we need to make sure it's secure.
Anyone have local contacts in Minnesota?
I've got a burgeoning industrial facility that wants to setup a new fiber network with two sites to start, along with several VLANs. I've got a enough skills to be dangerous but we need to make sure it's secure.
Anyone have local contacts in Minnesota?
#28
25.7, 25.10 Series / Re: in dnsmasq dhcp: leases: b...
Last post by pseudonym3k - January 14, 2026, 06:11:56 PMI am in similar situation and hoping for a straightforward, clean solution.
I have some devices I need a reserved DHCP address assigned. The wifi mac is not printed anywhere, I have to connect to ethernet or wifi first to get that. I set up a reserved IP assignment in DNSMasq, then reboot the device. It just gets the dynamic IP back. The devices have no options to do anything else.
If I use the magnifier glass next to the dynamic lease in DNSmasq it takes me to the static assignment record. But still the device IP doesn't change until the lease expires.
The workarounds I have used:
1. Stop DNSMasq, edit the DNSMasq active leases file and remove unwanted leases or change the lease time, then start DNSMasq again. I haven't seen any side effects but I don't like editing files as I'll never know when it might cause a problem.
2. After the static assignment is in place, do a factory reset on the device then configure it again. Doable but not really desirable. And doesn't always work; some devices STILL get the dynamic active lease back.
3. Set the default lease time to something short *before* I connect the new device for the first time. I also need to wait until some devices (that tend to behave badly during lease renewals) are not going to be renewing during this time. If I forget to alter the default lease time then it's back to #1 or #2 or have to wait for the lease to expire, before I can finish setting up the new device.
Are there any other options I can use, to get the reserved IP assigned when the device can't cause it to happen?
I did read in Github and elsewhere that adding a delete lease function is not planned, for reasons such as possible inconsistencies. Could the active lease time be edited in the GUI to some minimum time, like five minutes, so DNSMasq could expire it in a normal way and assign the reserved IP?
I have some devices I need a reserved DHCP address assigned. The wifi mac is not printed anywhere, I have to connect to ethernet or wifi first to get that. I set up a reserved IP assignment in DNSMasq, then reboot the device. It just gets the dynamic IP back. The devices have no options to do anything else.
If I use the magnifier glass next to the dynamic lease in DNSmasq it takes me to the static assignment record. But still the device IP doesn't change until the lease expires.
The workarounds I have used:
1. Stop DNSMasq, edit the DNSMasq active leases file and remove unwanted leases or change the lease time, then start DNSMasq again. I haven't seen any side effects but I don't like editing files as I'll never know when it might cause a problem.
2. After the static assignment is in place, do a factory reset on the device then configure it again. Doable but not really desirable. And doesn't always work; some devices STILL get the dynamic active lease back.
3. Set the default lease time to something short *before* I connect the new device for the first time. I also need to wait until some devices (that tend to behave badly during lease renewals) are not going to be renewing during this time. If I forget to alter the default lease time then it's back to #1 or #2 or have to wait for the lease to expire, before I can finish setting up the new device.
Are there any other options I can use, to get the reserved IP assigned when the device can't cause it to happen?
I did read in Github and elsewhere that adding a delete lease function is not planned, for reasons such as possible inconsistencies. Could the active lease time be edited in the GUI to some minimum time, like five minutes, so DNSMasq could expire it in a normal way and assign the reserved IP?
#29
German - Deutsch / Re: Umstellung auf IPsec Conne...
Last post by viragomann - January 14, 2026, 06:11:21 PMQuote from: osmom on January 14, 2026, 04:18:52 PMBei den neuen Connections wird ESP nicht mehr unterstüzt.Das glaub ich nicht. Da würde meine VPN auch nicht mehr funktionieren.
Quote from: osmom on January 14, 2026, 04:18:52 PMZur Authentifizierung nutze ich dabe EAP-Radius und EAP-MSCHAPv2.Sind nicht beide Methoden zur Client Authentifizierung gedacht und alternativ in der Remote-Konfiguration zu verwenden?
Jedenfalls hatte ich mich vor ein paar Wochen damit beschäftigt, als ich einen Road Warrior Server eingerichtet hatte, und das so im Kopf behalten.
Ich nutze am Server (Local) einfach ein TLS Zertifikat.
In der Remote muss auf jeden Fall EAP Radius rein, wenn der Prozess den NPS nutzen soll.
Und in VPN: IPsec: Mobile & Advanced Settings > eap-radius muss dieser ausgewählt werden.
In Remote wird konfiguriert, wie sich der Client beim Server authentifiziert.
In Local, wie sich der Server beim Client authentifiziert.
#30
German - Deutsch / Re: Hardware Suche N150 mit In...
Last post by carepack - January 14, 2026, 06:03:28 PMQuote from: newbe on January 12, 2026, 09:12:44 PMMan findet reichlich Mini PCs mit 2x LAN Schnittstellen, Blackview, SOYO Mini, GMKtec...:
Mini-PC SOYO M4 Mini Intel Twin Lake N150 Prozessor LPDDR5 12 GB RAM 512 GB ROM Windows 11 Pro WiFi 5
https://de.aliexpress.com/item/1005010734755262.html
138,75€
Ich habe u.a. Blackview und kann nicht meckern, auch welche die seit Monaten 24/7 laufen.
Nutzererfahrung findest du auch hier: https://www.mydealz.de/gruppe/mini-pc
Hi,
mein Thema war nicht einen Mini-PC zu finden sondern einen der Dual LAN mit Intel Netzwerkchipsätzen hat...
Danke dir!
