"Recent posts
#21
Virtual private networks / Adguard Home->Unbound->Mullvad...
Last post by MoonRaider99 - November 20, 2025, 08:52:29 PMHello, I have OPNSense 25.7.7. I would like to route all my client devices' DNS requests to go to Adguard Home, which is installed on OPNSense, for filtering, and then to Unbound DNS, also on OPNSense, for recursion, and then from there, route all traffic out through Mullvad VPN/DNS servers. Preferably over TLS.
OPNSense DNS server set to 192.168.100.1 (my OPNSense LAN IP) under System->General Settings. Allow DNS Override is unchecked, Do not Use the Local DNS service is unchecked.
Adguard Home is configured on 53/"Primary DNS" checked in OPNSense. Adguard Home Upstream DNS servers to 127.0.0.1:5353.
Unbound listen port is set to 5353, Network Interfaces is set to All, DNSSEC support enabled. Adguard and Unbound seem to be working together correctly. No Unbound DNS over TLS or forwarding settings (yet?)
I have set Mullvad up:
Wireguard->Peers-
Enabled, Public Key from Mullvad config, allowed IPs 0.0.0.0/0, ::0/0, endpoint address set to the "Peer Endpoint" address from Mullvad config. Endpoint port set to 51820 per Mullvad config. Keepalive at 25.
Wireguard->Instances-
Enabled, Public and Private key from Mullvad config, Listen port 51820, Tunnel address 10.x.x.x/32 from Mullvad config "Interface address", also entered IPv6 address. Peers set to the Peer I just created^^^. Disable Routes checked. Wireguard enabled. Checking Status page shows Handshake Age and Sent/Received data.
Interface has been assigned to Wireguard Interface.
Gateway Settings-
I have one for IPv4, and one for IPv6. Interface set to the Wireguard Interface I just set up^^, Address family set to IPv4 (and IPv6) IP address is set to 10.64.0.1 (fc00:bbbb:bbbb:bb01::1) [Could this be the problem, since this is specifically pointing to Mullvad DNS servers?]. Far Gateway is checked. Disable Gateway monitoring is checked.
Firewall->NAT->Outbound
Separate rules set for both IPv4 and IPv6. Interface set to Wireguard Interface from above, Protocol set to any, Source address set to LAN net, Destination set to any, Translation Target set to Wireguard Interface address (not "Interface address".
Firewall->LAN Rules
Two separate rules for IPv4 and IPv6. Pass, Quick apply, Interface set to LAN, Direction IN, TCP/IP Version set to IPv4 (or IPv6), Protocol any, Source is LAN net, Destination is any, Gateway set to the previously configured Gateway for IPv4- 10.64.0.1 (or IPv6). These rules are placed above the Default allow LAN to any rule.
The result/problem:
Mullvad check and Whatsmyip are showing I am using the VPN, no DNS leaks, using Mullvad servers. But not only is Adguard Home not filtering anymore, the UI won't even load. If I turn those firewall rules off, Adguard and Unbound work fine. So I am assuming that I am bypassing Adguard and probably Unbound entirely (and somehow breaking Adguard?). How can I fix this?
Again, I am trying to route my internal clients to Adguard for filtering and monitoring to Unbound for recursion, and then out through Mullvad tunnels, using their DNS servers, preferably over TLS. I am new to all of this, and I'm not finding a clear solution that works.
Thank you! I appreciate your help! :)
Edit: I removed IPv6 from the machine altogether and blocked on the firewall, just to make things a little easier to deal with. So ignore all that. I tested again, no change, not that I really thought there would be.
OPNSense DNS server set to 192.168.100.1 (my OPNSense LAN IP) under System->General Settings. Allow DNS Override is unchecked, Do not Use the Local DNS service is unchecked.
Adguard Home is configured on 53/"Primary DNS" checked in OPNSense. Adguard Home Upstream DNS servers to 127.0.0.1:5353.
Unbound listen port is set to 5353, Network Interfaces is set to All, DNSSEC support enabled. Adguard and Unbound seem to be working together correctly. No Unbound DNS over TLS or forwarding settings (yet?)
I have set Mullvad up:
Wireguard->Peers-
Enabled, Public Key from Mullvad config, allowed IPs 0.0.0.0/0, ::0/0, endpoint address set to the "Peer Endpoint" address from Mullvad config. Endpoint port set to 51820 per Mullvad config. Keepalive at 25.
Wireguard->Instances-
Enabled, Public and Private key from Mullvad config, Listen port 51820, Tunnel address 10.x.x.x/32 from Mullvad config "Interface address", also entered IPv6 address. Peers set to the Peer I just created^^^. Disable Routes checked. Wireguard enabled. Checking Status page shows Handshake Age and Sent/Received data.
Interface has been assigned to Wireguard Interface.
Gateway Settings-
I have one for IPv4, and one for IPv6. Interface set to the Wireguard Interface I just set up^^, Address family set to IPv4 (and IPv6) IP address is set to 10.64.0.1 (fc00:bbbb:bbbb:bb01::1) [Could this be the problem, since this is specifically pointing to Mullvad DNS servers?]. Far Gateway is checked. Disable Gateway monitoring is checked.
Firewall->NAT->Outbound
Separate rules set for both IPv4 and IPv6. Interface set to Wireguard Interface from above, Protocol set to any, Source address set to LAN net, Destination set to any, Translation Target set to Wireguard Interface address (not "Interface address".
Firewall->LAN Rules
Two separate rules for IPv4 and IPv6. Pass, Quick apply, Interface set to LAN, Direction IN, TCP/IP Version set to IPv4 (or IPv6), Protocol any, Source is LAN net, Destination is any, Gateway set to the previously configured Gateway for IPv4- 10.64.0.1 (or IPv6). These rules are placed above the Default allow LAN to any rule.
The result/problem:
Mullvad check and Whatsmyip are showing I am using the VPN, no DNS leaks, using Mullvad servers. But not only is Adguard Home not filtering anymore, the UI won't even load. If I turn those firewall rules off, Adguard and Unbound work fine. So I am assuming that I am bypassing Adguard and probably Unbound entirely (and somehow breaking Adguard?). How can I fix this?
Again, I am trying to route my internal clients to Adguard for filtering and monitoring to Unbound for recursion, and then out through Mullvad tunnels, using their DNS servers, preferably over TLS. I am new to all of this, and I'm not finding a clear solution that works.
Thank you! I appreciate your help! :)
Edit: I removed IPv6 from the machine altogether and blocked on the firewall, just to make things a little easier to deal with. So ignore all that. I tested again, no change, not that I really thought there would be.
#22
German - Deutsch / Einsteigerfrage zu NAT
Last post by Bubber - November 20, 2025, 08:05:56 PMHallo,
ich bin neu hier und daher unerfahren.
Setup:
Ich nutze meine opnsense virtualisiert unter proxmox. Sie hängt hinter einem ISP-Router der im Bridge-Modus läuft. Sie hat neben WAN noch LAN und eine DMZ. In der DMZ habe ich einen Server laufen, den ich aus dem Internet erreichbar machen will.
Dazu habe ich ein vollständige Portweiterleitung gemacht. Das funktioniert auch tadellos.
Problem:
Nun möchte ich aber, Port 22 aus dem Internet komplett blockieren. Eine entsprechende Regel habe ich für das WAN-Interface angelegt und sie vor die (autom. generierte) NAT-Regel platziert. Leider greift sie aber nicht. Es wird einfach alles an den in der Portweiterleitung festgelegten Host weitergeleitet.
Das selbe Problem habe ich auch, wenn ich eine Wireguard-Instanz auf der Firewall laufen lassen möchte. Egal was ich eingestellt habe; Anfragen auf Port 51820 werden auch an den Host weitergeleitet statt von der Firewall/Wireguard behandelt zu werden.
Ich habe irgendwo gelesen (leider kann ich die Quelle auf die Schnelle nicht finden), dass bei NAT vor den "normalen" Regeln bearbeitet wird. Aber trotzdem muss es doch eine Möglichkeit geben, dass ich Wireguard nutzen oder ssh auf WAN blockieren kann?!?
Über Feedback oder Hinweise die mir bei der Lösung bzw. für das bessere Verständnis meines Problems helfen, wäre ich sehr dankbar!
BG
bubber
ich bin neu hier und daher unerfahren.
Setup:
Ich nutze meine opnsense virtualisiert unter proxmox. Sie hängt hinter einem ISP-Router der im Bridge-Modus läuft. Sie hat neben WAN noch LAN und eine DMZ. In der DMZ habe ich einen Server laufen, den ich aus dem Internet erreichbar machen will.
Dazu habe ich ein vollständige Portweiterleitung gemacht. Das funktioniert auch tadellos.
Problem:
Nun möchte ich aber, Port 22 aus dem Internet komplett blockieren. Eine entsprechende Regel habe ich für das WAN-Interface angelegt und sie vor die (autom. generierte) NAT-Regel platziert. Leider greift sie aber nicht. Es wird einfach alles an den in der Portweiterleitung festgelegten Host weitergeleitet.
Das selbe Problem habe ich auch, wenn ich eine Wireguard-Instanz auf der Firewall laufen lassen möchte. Egal was ich eingestellt habe; Anfragen auf Port 51820 werden auch an den Host weitergeleitet statt von der Firewall/Wireguard behandelt zu werden.
Ich habe irgendwo gelesen (leider kann ich die Quelle auf die Schnelle nicht finden), dass bei NAT vor den "normalen" Regeln bearbeitet wird. Aber trotzdem muss es doch eine Möglichkeit geben, dass ich Wireguard nutzen oder ssh auf WAN blockieren kann?!?
Über Feedback oder Hinweise die mir bei der Lösung bzw. für das bessere Verständnis meines Problems helfen, wäre ich sehr dankbar!
BG
bubber
#23
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - November 20, 2025, 07:58:34 PMThat makes sense then. Happy to see this progress. :)
We could indeed annotate the mirrors with the architectures, but keep in mind when we would add an architecture then these mirrors are invalid until declared otherwise in a release. Perhaps a minor thing, but it indicates manual maintenance which may not be worth the effort.
Cheers,
Franco
We could indeed annotate the mirrors with the architectures, but keep in mind when we would add an architecture then these mirrors are invalid until declared otherwise in a release. Perhaps a minor thing, but it indicates manual maintenance which may not be worth the effort.
Cheers,
Franco
#24
General Discussion / Re: Can OPNsense allow only a ...
Last post by viragomann - November 20, 2025, 07:52:19 PMQuote from: cicirrr on November 20, 2025, 10:55:08 AMRight now I'm using basic policy routing, but I'm not sure if that's the correct or safest way to do it.It is.
Just ensure that the policy-routing rule is set on the top of the rule set, so that it is checked before other rules allowing any outbound.
Quote from: cicirrr on November 20, 2025, 10:55:08 AMShould I separate it by device or VLAN?I assume, you'd assigned static IPs to the concerned devices, maybe via DHCP. So put all these IPs into an alias and use it as source in the policy-routing rule.
Of course, you can also put all these devices in a separate VLAN if you want. So you don't need the source alias.
#25
German - Deutsch / Re: Problem mit sftp Backup üb...
Last post by viragomann - November 20, 2025, 07:31:03 PMHallo,
Hat der Server eine Route zu OPNsense2?
Wenn ja, lässt OPNsense1 die Verbindung zu?
Quote from: harald99 on November 20, 2025, 04:39:01 PMWenn ich ein sftp Backup von der OPNsense2 anstoße, kommt die OPNsense2 nicht per SSH an den Server.kennt sie denn die Route dahin?
Hat der Server eine Route zu OPNsense2?
Wenn ja, lässt OPNsense1 die Verbindung zu?
#26
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Seimus - November 20, 2025, 07:11:11 PMUpgraded today as well on my N5105 PRX node
It came with the i226-V firmware:
Upgraded to 2.32 using the 1MB file + the flashing utility for linux, process was without problems.
Regards,
S.
It came with the i226-V firmware:
Code Select
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
NVM Version : 2.20(2.14)
Upgraded to 2.32 using the 1MB file + the flashing utility for linux, process was without problems.
Code Select
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0
; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_1MB_2.32.bin
EEPID: 80000425
RESET TYPE: REBOOT
REPLACES: 80000290
END DEVICE
Code Select
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
NVM Version : 2.50(2.32)
Regards,
S.
#27
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by Maurice - November 20, 2025, 07:06:14 PMI was indeed wondering which mirror gets used with the default "(default)" setting. That's kind of obfuscated. 😅 But I eventually figured out that opnsense-update reads the "url" value from repos/OPNsense.conf, which does get set to CORE_PACKAGESITE at build time.
Until now, I didn't modify CORE_PACKAGESITE, hence I had to inject my mirror into config.xml.sample. Starting with 25.7.8 I will stop doing this since it's no longer necessary with the correct CORE_PACKAGESITE.
Modifying repositories/opnsense.xml isn't really necessary, correct. I just thought it would make sense to remove the amd64 mirrors while I'm at it.
Going forward, it might make sense to add an "architecture" property to each mirror in repositories/opnsense.xml. Mirrors could offer a single or multiple architectures. The GUI then could only display the mirrors which offer the system's architecture.
Cheers
Maurice
Until now, I didn't modify CORE_PACKAGESITE, hence I had to inject my mirror into config.xml.sample. Starting with 25.7.8 I will stop doing this since it's no longer necessary with the correct CORE_PACKAGESITE.
Modifying repositories/opnsense.xml isn't really necessary, correct. I just thought it would make sense to remove the amd64 mirrors while I'm at it.
Going forward, it might make sense to add an "architecture" property to each mirror in repositories/opnsense.xml. Mirrors could offer a single or multiple architectures. The GUI then could only display the mirrors which offer the system's architecture.
Cheers
Maurice
#28
Hardware and Performance / Re: [solved] Intel i226 Firmwa...
Last post by Seimus - November 20, 2025, 06:25:54 PMUpgraded today as well on my main N100 FW
It came with the i226-V firmware:
Upgraded to 2.32 using the 2MB file, process was without problems.
Regards,
S.
It came with the i226-V firmware:
Code Select
[1] igc0: EEPROM V2.13-0 eTrack 0x80000284
[1] igc1: EEPROM V2.13-0 eTrack 0x80000284
[1] igc2: EEPROM V2.13-0 eTrack 0x80000284
[1] igc3: EEPROM V2.13-0 eTrack 0x80000284
Upgraded to 2.32 using the 2MB file, process was without problems.
Code Select
CURRENT FAMILY: 1.0.0
CONFIG VERSION: 1.20.0
; NIC device
BEGIN DEVICE
DEVICENAME: Intel(R) Ethernet Controller I226-V
VENDOR: 8086
DEVICE: 125C
SUBVENDOR: 8086
SUBDEVICE: 0000
NVM IMAGE: FXVL_125C_V_2MB_2.32.bin
EEPID: 80000422
RESET TYPE: REBOOT
REPLACES: 80000284
END DEVICE
Code Select
[1] igc0: EEPROM V2.32-0 eTrack 0x80000422
[1] igc1: EEPROM V2.32-0 eTrack 0x80000422
[1] igc2: EEPROM V2.32-0 eTrack 0x80000422
[1] igc3: EEPROM V2.32-0 eTrack 0x80000422
Regards,
S.
#29
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by franco - November 20, 2025, 06:08:36 PMThanks, this works nicely. Now I can get the fingerprints back if I install a development version from our repo. This is still not optimal but it helps and I'll keep pondering about it. I also pushed the man page update for the opnsense-bootstrap change.
FWIW, I don't think you strictly need to change opnsense.xml as your inject the correct mirror into the configuration as it seems. But I was wondering where it reads the default from anyway which is the OPNsense.conf file so I think you don't even need to do that and "(default)" should just work.
Maybe we can hide the other repositories for aarch64 on opnsense.xml but I'm not sure yet.
Cheers,
Franco
FWIW, I don't think you strictly need to change opnsense.xml as your inject the correct mirror into the configuration as it seems. But I was wondering where it reads the default from anyway which is the OPNsense.conf file so I think you don't even need to do that and "(default)" should just work.
Maybe we can hide the other repositories for aarch64 on opnsense.xml but I'm not sure yet.
Cheers,
Franco
#30
25.7, 25.10 Series / High CPU on Dashboard
Last post by cyberfarer - November 20, 2025, 05:59:29 PMGreetings,
I am seeing an issue on the dashboard where widgets cause many PHP and PHP-CGI processes to spawn that eventually consume all CPU. The widgets themselves become unresponsive. I've noted this issue raised on these forums but not addressed and possibly unrelated.
Logs show entries like this:
This began when configuring IDS, but I have since disabled and removed all rules and the issue persists so I now believe it is unrelated.
Thoughts and ideas are welcome.
P.S. CPU is fine so long as I don't visit the dashboard or remove the impacted widgets.
I am seeing an issue on the dashboard where widgets cause many PHP and PHP-CGI processes to spawn that eventually consume all CPU. The widgets themselves become unresponsive. I've noted this issue raised on these forums but not addressed and possibly unrelated.
Logs show entries like this:
Code Select
2025-11-19T22:11:53-05:00 OPNsense.localdomain configd.py 381 - [meta sequenceId="18"] [68d947aa-2219-44e2-b504-bb0cc73ee1c8] Script action failed with Command '/usr/local/opnsense/scripts/routes/gateway_status.php' died with <Signals.SIGKILL: 9>. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/routes/gateway_status.php' died with <Signals.SIGKILL: 9>.
This began when configuring IDS, but I have since disabled and removed all rules and the issue persists so I now believe it is unrelated.
Thoughts and ideas are welcome.
P.S. CPU is fine so long as I don't visit the dashboard or remove the impacted widgets.
