"Recent posts
#21
Virtual private networks / OpenVPN to WAN
Last post by Uzzi - Today at 11:27:31 AMHi, I've Opnsense server with these interfaces:
igb0 Wan----->internet router
igb1 LAN
igb3 From Sites
I've configured a OnVPN server published on From Sites IP
A vm with OpenVPN client is connected to OpnVPN Server but doesn't navigate on internet by OpenSense WAN, but ping Opnsense Wan ip interface.
Opensense is working fine and navigate to internet correctly.
How can I see why?
What could be the problem?
Regards
igb0 Wan----->internet router
igb1 LAN
igb3 From Sites
I've configured a OnVPN server published on From Sites IP
A vm with OpenVPN client is connected to OpnVPN Server but doesn't navigate on internet by OpenSense WAN, but ping Opnsense Wan ip interface.
Opensense is working fine and navigate to internet correctly.
How can I see why?
What could be the problem?
Regards
#22
25.1, 25.4 Production Series / Re: ACME client - send email ...
Last post by cookiemonster - Today at 11:12:38 AMWithout trying to be mean, really this is a good opportunity to learn how monit does its thing.
I had the same need, how do I do "something" with monit. I spent a few days with the manual https://mmonit.com/monit/documentation/monit.html and seeing how they would translate to the UI. I was able to acomplish my goal.
May I suggest to try the "File Content Test" as your "Service Test"?
I had the same need, how do I do "something" with monit. I spent a few days with the manual https://mmonit.com/monit/documentation/monit.html and seeing how they would translate to the UI. I was able to acomplish my goal.
May I suggest to try the "File Content Test" as your "Service Test"?
#23
25.1, 25.4 Production Series / Re: Intel I-226 SRKTV M.2 NIC ...
Last post by Lil-cyb - Today at 11:03:25 AMThanks again for all the tips—here's a more detailed update that hopefully clears up the DHCP side:
---
1) DHCP configuration
* With the built-in I219 (em0) as LAN, I never touched any DHCP settings at all—just plugged my laptop into the port and it always immediately got an IP.
* Switching LAN to the I226 (igc0), I tried exactly the same: straight cable connection, laptop set to DHCP. Nothing. No address.
* I then went into Services → DHCPv4 → LAN, explicitly enabled the server and defined a 192.168.1.100–200 pool, but igc0 still never handed out any leases.
2) Link speed/duplex
* When I ran `ifconfig igc0`, it showed `media: Ethernet autoselect (1000baseT <full-duplex>) status: active`.
* That was fine for testing against my laptop's USB-C 1 Gbps adapter, but it still didn't pass any DHCP broadcasts. In other words, even at 1 Gbps full-duplex it wasn't forwarding broadcasts off the wire.
3) Live packet capture
I watched the pf log via console option 10 while triggering `dhclient` on my laptop—no DHCPDISCOVER ever appeared.
---
Final resolution
I then swapped in with an new adapter: Intel I210-based M.2 adapter (the one I linked earlier) in the very same slot. On first try it came up as `igb0`, negotiated 1 Gbps full-duplex, and immediately served DHCP leases to my laptop exactly as the I219 had.
That tells me the issue wasn't DHCPd or pf at all, but a PHY/driver quirk with the I226-SRKTV under FreeBSD. I'm now running with the I210 card on LAN and everything is rock-solid. If anyone discovers a firmware or driver patch that makes the I226 work properly, I'd love to hear about it—otherwise I'm all set.
Thanks again for your help!
---
1) DHCP configuration
* With the built-in I219 (em0) as LAN, I never touched any DHCP settings at all—just plugged my laptop into the port and it always immediately got an IP.
* Switching LAN to the I226 (igc0), I tried exactly the same: straight cable connection, laptop set to DHCP. Nothing. No address.
* I then went into Services → DHCPv4 → LAN, explicitly enabled the server and defined a 192.168.1.100–200 pool, but igc0 still never handed out any leases.
2) Link speed/duplex
* When I ran `ifconfig igc0`, it showed `media: Ethernet autoselect (1000baseT <full-duplex>) status: active`.
* That was fine for testing against my laptop's USB-C 1 Gbps adapter, but it still didn't pass any DHCP broadcasts. In other words, even at 1 Gbps full-duplex it wasn't forwarding broadcasts off the wire.
3) Live packet capture
I watched the pf log via console option 10 while triggering `dhclient` on my laptop—no DHCPDISCOVER ever appeared.
---
Final resolution
I then swapped in with an new adapter: Intel I210-based M.2 adapter (the one I linked earlier) in the very same slot. On first try it came up as `igb0`, negotiated 1 Gbps full-duplex, and immediately served DHCP leases to my laptop exactly as the I219 had.
That tells me the issue wasn't DHCPd or pf at all, but a PHY/driver quirk with the I226-SRKTV under FreeBSD. I'm now running with the I210 card on LAN and everything is rock-solid. If anyone discovers a firmware or driver patch that makes the I226 work properly, I'd love to hear about it—otherwise I'm all set.
Thanks again for your help!
#24
General Discussion / static route with WAN WG LAN a...
Last post by Gautier - Today at 09:49:53 AMHi,
On my router I have some interfaces:
The WAN
The WG-OZ it's VPN tunnel connected with another OPNSENSE in another country with his own remote LAN 10.2.1.x
The LAN 10.3.1.x
The PVE 10.3.2.x
I have a static route to use the GW with VPN for the subnet 10.2.1.0/24.
From LAN I have access to internet, the LAN subnet 10.3.1.x, the PVE subnet 10.3.2.x and remote LAN 10.2.1.x
From PVE I have access to internet, his own subnet 10.3.2.x and that's all.
My problem is I would like LAN and PVE have the same behaviour. From PVE access to remote LAN 10.2.1.x.
Any idea?
On my router I have some interfaces:
The WAN
The WG-OZ it's VPN tunnel connected with another OPNSENSE in another country with his own remote LAN 10.2.1.x
The LAN 10.3.1.x
The PVE 10.3.2.x
I have a static route to use the GW with VPN for the subnet 10.2.1.0/24.
From LAN I have access to internet, the LAN subnet 10.3.1.x, the PVE subnet 10.3.2.x and remote LAN 10.2.1.x
From PVE I have access to internet, his own subnet 10.3.2.x and that's all.
My problem is I would like LAN and PVE have the same behaviour. From PVE access to remote LAN 10.2.1.x.
Any idea?
#25
25.1, 25.4 Production Series / Re: xz / liblzma version
Last post by brueggemann - Today at 09:45:17 AMQuote from: Patrick M. Hausen on May 10, 2025, 12:02:49 AMWhat exactly is the security relevant problem with any current version of OPNsense?
Probably nothing, it only affects services that are linked to liblzma and use the lzma_stream_decoder_mt function. After a quick and not representative research (searching for lzma_stream_decoder_mt and comparing the hit count to lzma_stream_decoder on github) the multithreaded variant is hardly used.
#26
French - Français / Re: Public access et logs
Last post by Gautier - Today at 09:30:51 AMOk, je vais approfondir.
Merci
Merci
#27
General Discussion / Re: Hardening DHCP
Last post by bartjsmit - Today at 09:04:03 AMYes, DHCP uses broadcast. Restricting clients by MAC has limited value since you cannot control the address that the client uses. For instance, an attacker can sniff packets on the network and assume the MAC and IP of a client that is allowed to connect.
Do your hardening on layer 2 by implementing VLAN separation on managed switches and multi-SSID WiFi access points.
Do your hardening on layer 2 by implementing VLAN separation on managed switches and multi-SSID WiFi access points.
#28
German - Deutsch / 25.1.5_6: Captive Portal funkt...
Last post by white_rabbit - Today at 08:38:02 AMHallo.
Wir haben hier seit dem Update von 25.1.5_4 auf _5 das bekannte Problem mit dem Captive Portal: Es war bei uns so wie hier beschrieben:
https://forum.opnsense.org/index.php?topic=46796.0
Mittlerweile ist Version 25.1.5_6 erschienen mit einem Fix für das Problem. Wir haben diese Version heute installiert und die Option
Es ist so: Wenn man den Haken setzt
Wenn man den Haken allerdings nicht setzt
ist man nicht online, aber das Portal erscheint auch hier nicht automatisch.
Wenn man das Captive Portal manuell über Port : 8000 aufruft, kann man sich anmelden und ist anschließend online. Nur das automatische Einblenden funktioniert nicht mehr.
Wir haben auch diese Seite gefunden:
https://github.com/opnsense/core/issues/8585
Dort schreibt AndyX90:
Übrigens: Bei uns läuft AdGuard mit auf der OPNSense. Kann es da einen Zusammenhang geben, dass das Portal nicht mehr erscheint?
Hat jemand von Euch das Problem bereits gelöst?
Danke für einen guten Tipp.
Wir haben hier seit dem Update von 25.1.5_4 auf _5 das bekannte Problem mit dem Captive Portal: Es war bei uns so wie hier beschrieben:
https://forum.opnsense.org/index.php?topic=46796.0
Mittlerweile ist Version 25.1.5_6 erschienen mit einem Fix für das Problem. Wir haben diese Version heute installiert und die Option
Code Select
[x] Disable firewall rules
If this option is set, no automatic firewall rules for portal redirection
and traffic blocking will be generated. This option allows you to override
the default portal behavior for advanced use cases, such as redirections
for DNS.
See the documentation to see which rules you should implement in this scenario.
ist nun auch vorhanden. Leider funktioniert das Captive Portal bei uns aber weiterhin nicht.Es ist so: Wenn man den Haken setzt
Code Select
[x] Disable firewall rules ist man sofort online -- allerdings erscheint das Captive Portal nicht!Wenn man den Haken allerdings nicht setzt
Code Select
[ ] Disable firewall rules ist man nicht online, aber das Portal erscheint auch hier nicht automatisch.
Wenn man das Captive Portal manuell über Port : 8000 aufruft, kann man sich anmelden und ist anschließend online. Nur das automatische Einblenden funktioniert nicht mehr.
Wir haben auch diese Seite gefunden:
https://github.com/opnsense/core/issues/8585
Dort schreibt AndyX90:
QuoteUpdate: The issue seems to be related to the NAT Rule, which redirects DNS traffic on cp-interface to the BIND DNS.Was genau ist hier zu tun?
Disabling was somehow not enough, i had to delete it.
For the moment i will use unbound on the portal interface.
Übrigens: Bei uns läuft AdGuard mit auf der OPNSense. Kann es da einen Zusammenhang geben, dass das Portal nicht mehr erscheint?
Hat jemand von Euch das Problem bereits gelöst?
Danke für einen guten Tipp.
#29
German - Deutsch / Re: Bambu Lab Printer LAN Mode...
Last post by viragomann - Today at 08:15:51 AMDie Kommunikation zwischen WLAN Geräten ist am AP erlaubt?
#30
25.1, 25.4 Production Series / Re: ACME client - send email ...
Last post by peterdeg - Today at 06:29:17 AMYou and me both!
