"Recent posts
#21
25.7, 25.10 Series / Re: random sFTP connection att...
Last post by Tamas Halmai - Today at 06:33:26 AMQuote from: franco on December 14, 2025, 08:34:17 PMWhy would the documented default be counter productive to other users using it sucessfully?
Cheers,
Franco
Franco,
This additional automated sFTP check just adds additional operational noise and confusion (gives the incorrect impression that something is going on with the server).
So, as Patrick correctly stated it would be a nice feature to either:
- enable/disable the check after 01:00 AM
- make the schedule configurable to align that to active time of the NAS (IMHO it is absolutely common practice to switch a NAS off overnight)
BR,
Tamas
#22
25.7, 25.10 Series / Re: Reporting logs: comma in t...
Last post by pfry - Today at 06:01:08 AMQuote from: SenseX on December 14, 2025, 10:01:33 PMSorry about that, I did use commas in my previous post, but I actually meant decimals.[...]
Oh, you're asking about the values? They're exactly as displayed ("." = decimal point), as in e.g. "top". The delay is likely in seconds, so your hope seems to have worked out.
#23
General Discussion / Net-SNMP Temporarily Stops Res...
Last post by PhYrE - Today at 03:55:01 AMHopeful someone might have run into this and can help point me in the right direction.
Have OPNsense on physical hardware, with both public and private and provider nets on it. Net-SNMP is listening on only the private Net on one internal IP.
About once a week, for about 2.5 hours:
Net-SNMP has started simply not responding (timing out) to MRTG. It simply resumes on its own with no interaction or involvement after maybe 2.5 hours. This happens for all targets (interfaces) on OPNsense [ie: \igc4:MYSECRET@10.100.70.1:::::2 / \lagg0:MYSECRET@10.100.70.1:::::2 / \wg0:MYSECRET@10.100.70.1:::::2].
MRTG works for all other hosts it polls. There is no configuration change in it from when it was working. We see it in the logs for MRTG with OPNsense timing out and any other router/server processing correctly.
OPNsense continues to route 15-20Mbps of traffic problem-free during that time, answer DNS queries, and do everything else it is supposed to. Reporting|Health shows normal traffic on all interfaces during this time. Processor load is about 6%. States, CPU temp, memory (12% used), etc are all fairly constant. Disk is used 2%.
There is nothing I have found in the logs on why it might not respond to SNMP requests. The fact that it just starts working again hours later takes me away from configuration issues. The fact that the host is otherwise accessible takes me away from thinking anything is wrong on the networking side.
Any insight on where I might look next?
Have OPNsense on physical hardware, with both public and private and provider nets on it. Net-SNMP is listening on only the private Net on one internal IP.
About once a week, for about 2.5 hours:
Net-SNMP has started simply not responding (timing out) to MRTG. It simply resumes on its own with no interaction or involvement after maybe 2.5 hours. This happens for all targets (interfaces) on OPNsense [ie: \igc4:MYSECRET@10.100.70.1:::::2 / \lagg0:MYSECRET@10.100.70.1:::::2 / \wg0:MYSECRET@10.100.70.1:::::2].
MRTG works for all other hosts it polls. There is no configuration change in it from when it was working. We see it in the logs for MRTG with OPNsense timing out and any other router/server processing correctly.
OPNsense continues to route 15-20Mbps of traffic problem-free during that time, answer DNS queries, and do everything else it is supposed to. Reporting|Health shows normal traffic on all interfaces during this time. Processor load is about 6%. States, CPU temp, memory (12% used), etc are all fairly constant. Disk is used 2%.
There is nothing I have found in the logs on why it might not respond to SNMP requests. The fact that it just starts working again hours later takes me away from configuration issues. The fact that the host is otherwise accessible takes me away from thinking anything is wrong on the networking side.
Any insight on where I might look next?
#24
General Discussion / Fresh install blocking most si...
Last post by Petski - Today at 02:36:24 AMI just installed OPNsense for the first time on a dedicated small form factor PC. After getting both WAN and LAN ports configured, it looked like everything was working from the console's point of view, but, I am finding that the majority of normal sites are being blocked. Zerohedge and Yahoo work perfectly but YouTube, eBay, and most other sites timeout attempting to load. Also, my IP phone (Ooma) won't connect either.
Details:
- The OPNsense firewall PC is between my Cisco router (LAN) and the cable modem (WAN).
- The Cisco router (Manages the full local LAN) and uses a PiHole server for DNS filtering. All DNS request go through PiHole.
- FYI, PiHole has been in use for many years now with no issues.
- I have not added any filters or rules, just whatever is included in the default install.
Any help is appreciated. I've had to bypass the firewall until I can figure this problem out.
Details:
- The OPNsense firewall PC is between my Cisco router (LAN) and the cable modem (WAN).
- The Cisco router (Manages the full local LAN) and uses a PiHole server for DNS filtering. All DNS request go through PiHole.
- FYI, PiHole has been in use for many years now with no issues.
- I have not added any filters or rules, just whatever is included in the default install.
Any help is appreciated. I've had to bypass the firewall until I can figure this problem out.
#25
German - Deutsch / Re: Von ISC- zu KEA DHCP wechs...
Last post by MarroniJohny - Today at 02:14:01 AMhmm, ich versteh echt die Welt nicht mehr. Vorhin hat es noch geklappt aus dem LAN zu pingen, wenn ich Block !RFC_1918 inaktiv hatte. Nun habe ich die Regel disable, und ich kann nicht mehr pingen.
Nach mir habe ich rein gar nichts gemacht an den Regeln, ausser die Regel aktiviert und wieder deaktiviert.
Nach mir habe ich rein gar nichts gemacht an den Regeln, ausser die Regel aktiviert und wieder deaktiviert.
#26
25.7, 25.10 Series / Re: Unbound: Help with mystery...
Last post by kartman - Today at 01:56:24 AMQuote from: Boxer on December 14, 2025, 08:10:42 PMFirefox by default uses DoH (Cloudflare) but can be turned off to use system DNS. May be worth flushing the browser and system dns caches and testing again.
This is interesting... I don't typically use Firefox but, in this test, one machine was Chrome and the other was Firefox... These last couple of replies have taught me something! Much appreciated and more digging to do now.
#27
German - Deutsch / Re: Von ISC- zu KEA DHCP wechs...
Last post by MarroniJohny - Today at 01:51:40 AMHi
Auf der produktiv Sense musste ich quasi nichts beregeln. Auf der Lab Sense brauchte ich diese Regeln, damit es Adresse bezog und Internet bekam, hier am Beispiel des Labor VLAN:
You cannot view this attachment.
Auf der Produktiv Sense reichte die letzte Regel. Das wär mir auch egal, habe jetzt die Regeln auf allen VLAN erstellt. Wenn ich jetzt aber vom LAN aus (hat die goldene allow all Regel) einen Gast in dem betreffendem VLAN pingen möchte, kommt nichts zurück. Das wird durch die Block !RFC_1918 Regel ausgelöst. Deaktiviere ich die, kommt der Ping durch.
Das Verhalten habe ich bei der Produktiv Sense nicht. Nun gut, ich kann bei der Lab Sense überall eine Rückwärts Regel erstellen, damit man als Admin aus dem LAN überall drauf kommt. Aber es greifen z.T. auch andere VLAN z.B. auf die DMZ zu, da habe ich nicht so gross Lust, alles doppelt und dreifach zu beregeln.
Sprich ist es eingehender Verkehr auf einen Gast/Server, soll dieser Antwort geben, obwohl da die Block !RFC_1918 Regel drin ist.
Auf meiner Produktiv Sense läuft das ohne Probleme, da ist in der DMZ atm die Regel drin:
You cannot view this attachment.
Was mir dabei gerade noch auffällt: müssten auf der Produktiv Sense nicht noch die automatisch erstellten Regeln vom NAT mit angezeigt werden? Früher sah man da immer noch die ganzen NAT Regeln, oder haluziniere ich gerade nur?
Gruss und danke
Auf der produktiv Sense musste ich quasi nichts beregeln. Auf der Lab Sense brauchte ich diese Regeln, damit es Adresse bezog und Internet bekam, hier am Beispiel des Labor VLAN:
You cannot view this attachment.
Auf der Produktiv Sense reichte die letzte Regel. Das wär mir auch egal, habe jetzt die Regeln auf allen VLAN erstellt. Wenn ich jetzt aber vom LAN aus (hat die goldene allow all Regel) einen Gast in dem betreffendem VLAN pingen möchte, kommt nichts zurück. Das wird durch die Block !RFC_1918 Regel ausgelöst. Deaktiviere ich die, kommt der Ping durch.
Das Verhalten habe ich bei der Produktiv Sense nicht. Nun gut, ich kann bei der Lab Sense überall eine Rückwärts Regel erstellen, damit man als Admin aus dem LAN überall drauf kommt. Aber es greifen z.T. auch andere VLAN z.B. auf die DMZ zu, da habe ich nicht so gross Lust, alles doppelt und dreifach zu beregeln.
Sprich ist es eingehender Verkehr auf einen Gast/Server, soll dieser Antwort geben, obwohl da die Block !RFC_1918 Regel drin ist.
Auf meiner Produktiv Sense läuft das ohne Probleme, da ist in der DMZ atm die Regel drin:
You cannot view this attachment.
Was mir dabei gerade noch auffällt: müssten auf der Produktiv Sense nicht noch die automatisch erstellten Regeln vom NAT mit angezeigt werden? Früher sah man da immer noch die ganzen NAT Regeln, oder haluziniere ich gerade nur?
Gruss und danke
#28
25.7, 25.10 Series / Re: Reporting logs: comma in t...
Last post by passeri - December 14, 2025, 11:19:05 PMQuote from: SenseX on December 14, 2025, 11:09:39 AMAh, the not-a-comma commas :-)Quote from: passeri on December 13, 2025, 10:39:08 PMAre you referring to the comma after the date number, "December 11, 2025"? Are there other commas I am not seeing in the images?Hi,
That is one of the standard (i.e. common) date formats.
It's not the date. The other numbers: First image:
user: 2,304 <------ 2,3 or 2304?
#29
25.7, 25.10 Series / Re: Reporting logs: comma in t...
Last post by SenseX - December 14, 2025, 10:01:33 PMQuote from: franco on December 14, 2025, 08:46:12 PMHi,Quote from: SenseX on December 14, 2025, 11:09:39 AMuser: 2,304 <------ 2,3 or 2304?
nice: 0
system: 1,59 <------ 1,59 or 159 ?
interrupt: 0
processes: 370,081 <------ What is this, 370 or 370,081 (three hundred seventy thousand and eighty-one)
Looking at the screenshot I would assume I see a decimal point. Looking at your post I see commas that add to the confusion. RRD/system health uses averages so it's very likely decimal points as shown in the GUI.
Cheers,
Franco
Sorry about that, I did use commas in my previous post, but I actually meant decimals.
user: 2.304 <------ 2.3 or 2304?
nice: 0
system: 1.59 <------ 1.59 or 159 ?
interrupt: 0
processes: 370.081 <------ What is this, 370 or 370.081 (three hundred seventy thousand and eighty-one) <---- That seems like a lot of processes.
I was hoping I could found some health report of the RTT (ping gateway) like the widget in the dashbord of Gateway.
But the health report is showing "delay" 0.002 and this number doesn't mean anything to me :)
I was hoping it was showing the RTT/ping gateway in "ms" in my case 2.3 ms
#30
General Discussion / Re: PSA: recent Comcast firmwa...
Last post by allan - December 14, 2025, 09:16:47 PMQuote from: OPNenthu on December 14, 2025, 05:51:21 AMI have no evidence of this, but I am guessing business and residential accounts all go thru the same support structure. We just get a different modem and our techs wear shirts and drive trucks that say Comcast Business. We also had AT&T's different broadband offerings going back to DSL in the 90s and we had similar experiences there as well. None of them had a way for technically savvy customers to help them troubleshoot. DSL Reports forums were a lifeline back then.Quote from: allan on December 13, 2025, 12:45:57 AMIPv6-PD is not commonly used and it is not actively monitored-at least by Tier 1 support since they told me their diagnostics all show green.If that's the case for business accounts... then the fact that IPv6-PD works at all for my home connection is something of a miracle and I'm on my own.
Great.
