"Recent posts
#31
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by Q-Feeds - December 05, 2025, 09:41:32 PMQuote from: _tribal_ on December 05, 2025, 08:34:21 PMUnfortunately, I had to give up on this plugin. In my case, too many resources that were critical to me were blacklisted by Q-Feeds. Otherwise, it worked quite stably. Good luck with developing the service.
That's unfortunate to hear! Sorry it didn't work out for you. We'd really appreciate it if you could share which false positives you ran into, it helps us improve the service for everyone.
#32
German - Deutsch / Re: Probleme bei der Installat...
Last post by juergen2025 - December 05, 2025, 09:23:30 PMEs wurde auf UFS installiert.
Zur M.2-SSD: Sie ist nagelneu, und die SMART-Werte sind alle unauffällig.
Die Logs kann ich leider nicht mehr auswerten, da ich die SSD inzwischen formatiert habe.
Ich starte demnächst einen neuen Versuch mit der OPNsense-Installation – diesmal werde ich allerdings ZFS als Dateisystem verwenden, um auszuschließen, dass UFS hier eine Rolle spielt.
Zur M.2-SSD: Sie ist nagelneu, und die SMART-Werte sind alle unauffällig.
Die Logs kann ich leider nicht mehr auswerten, da ich die SSD inzwischen formatiert habe.
Ich starte demnächst einen neuen Versuch mit der OPNsense-Installation – diesmal werde ich allerdings ZFS als Dateisystem verwenden, um auszuschließen, dass UFS hier eine Rolle spielt.
#33
25.7, 25.10 Series / Re: Unbound DNS resolution sto...
Last post by tangofan - December 05, 2025, 09:20:25 PMQuote from: allenlook on November 05, 2025, 09:00:15 PMHappened again yesterday.
Only a restart of Unbound DNS would resolve the issue.
Yes I had the same issue also a few days ago. All the sudden DNS resolution didn't work anymore, but a restart of Unbound within OPNsense got everything back to working again.
Looks like there is some fringe condition that causes Unbound to go into a freeze. I'm wondering how to debug this, when it happens again, so someone can find the root cause of this.
#34
25.7, 25.10 Series / Re: Unwanted route that keeps ...
Last post by Patrick M. Hausen - December 05, 2025, 08:54:18 PMUGHS - that route is static. It's configured somewhere. Do you have configured a gateway on vlan0.6? Remove that.
#35
Documentation and Translation / Re: Provide clarification on r...
Last post by Patrick M. Hausen - December 05, 2025, 08:52:48 PMQuote from: evilaliv3 on December 05, 2025, 06:35:26 PMWhat update cadence or version-selection strategy do you recommend for CE users seeking maximum security and stability, while avoiding premature upgrades or outdated releases? We hope the answers will help both our project and the wider OPNsense community adopt safer, more predictable deployment practices.
My take: always update to the latest release when it is published.
But do it in a phased rollout. Have a lab system that is for test purposes only. Update that first. If no problems arise check the forum for any problems you might not have noticed.
Once lab is fine and 2-3 work days have passed after release update less critical, single node systems.
Once they are fine update more critical dual node HA systems.
And of course: install with ZFS and prepare snapshots before updating.
That procedure works for us so far. As @meyergru noted, there is the business edition.
HTH,
Patrick
#36
25.7, 25.10 Series / Re: Unwanted route that keeps ...
Last post by abenaou - December 05, 2025, 08:49:41 PMHere is more details about the route :
Proto Destination Gateway Flags MTU Netif Netif (name)
ipv4 10.99.200.0/24 link#14 U 1500 Vlan0.2 LAN
ipv4 10.99.200.1 Link#10 UHS 16384 lo0 loopback
ipv4 10.99.200.180 10.99.200.1 UGHS 1500 Vlan0.6 LAN98
The unwanted route is 10.99.200.180 being sent to 10.98.200.1 which is another firewall, the traffic ends up being blocked and rejected, making the server 10.99.200.180 isolated from the internet.
Do you have any ideas?
Thanks
Proto Destination Gateway Flags MTU Netif Netif (name)
ipv4 10.99.200.0/24 link#14 U 1500 Vlan0.2 LAN
ipv4 10.99.200.1 Link#10 UHS 16384 lo0 loopback
ipv4 10.99.200.180 10.99.200.1 UGHS 1500 Vlan0.6 LAN98
The unwanted route is 10.99.200.180 being sent to 10.98.200.1 which is another firewall, the traffic ends up being blocked and rejected, making the server 10.99.200.180 isolated from the internet.
Do you have any ideas?
Thanks
#37
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by _tribal_ - December 05, 2025, 08:34:21 PMUnfortunately, I had to give up on this plugin. In my case, too many resources that were critical to me were blacklisted by Q-Feeds. Otherwise, it worked quite stably. Good luck with developing the service.
#38
German - Deutsch / Re: ISC DHCP & Unbound DNS res...
Last post by Monviech (Cedrik) - December 05, 2025, 07:56:43 PMDas ISC ist EOL und verschwindet bald als unmaintained plugin.
Lieber auf Dnsmasq umstellen wenn möglich:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
Lieber auf Dnsmasq umstellen wenn möglich:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
#39
Documentation and Translation / Re: Provide clarification on r...
Last post by meyergru - December 05, 2025, 07:22:51 PMThis is not an official answer, only my observations:
1. I never saw any updates for older CE branches after the next release has come out, so I guess, if you do not apply the latest updates, you potentially risk to have unfixed vulnerabilities.
2. Deciso offers the business edition for exactly the purpose you aim at. It is usually 3 months behind the community edition feature-wise (i.e. it has ripened a little), but is updated for vulnerabilities regularly. This version is the one to use if you want production quality. The CE version is free, but you have to be able to cope with problems induced by feature upgrades that come along with new releases. Short story is: YOu can use the CE version for free if you volunteer for testing it - otherwise, buy the business license.
3. Since the "major" updates for CE come out twice a year with YY.1 in January and YY.7 in July, they tend to have more new features in them. The minor updates that follow (e.g. YY.7.x) usually have less new features included - which is not to say that they cannot break.
If you can cope with not always having the "latest" and greatest, you should probably skip YY.X.0 versions or at least wait a few days after a release has been announced to see if there were neccessary fixes (YY.X.Z_n).
1. I never saw any updates for older CE branches after the next release has come out, so I guess, if you do not apply the latest updates, you potentially risk to have unfixed vulnerabilities.
2. Deciso offers the business edition for exactly the purpose you aim at. It is usually 3 months behind the community edition feature-wise (i.e. it has ripened a little), but is updated for vulnerabilities regularly. This version is the one to use if you want production quality. The CE version is free, but you have to be able to cope with problems induced by feature upgrades that come along with new releases. Short story is: YOu can use the CE version for free if you volunteer for testing it - otherwise, buy the business license.
3. Since the "major" updates for CE come out twice a year with YY.1 in January and YY.7 in July, they tend to have more new features in them. The minor updates that follow (e.g. YY.7.x) usually have less new features included - which is not to say that they cannot break.
If you can cope with not always having the "latest" and greatest, you should probably skip YY.X.0 versions or at least wait a few days after a release has been announced to see if there were neccessary fixes (YY.X.Z_n).
#40
25.7, 25.10 Series / Re: GeoIP with ipinfo stopped ...
Last post by Kayakero - December 05, 2025, 07:01:26 PMthe only thing I can assume is that ipinfo removed the "Content-Disposition" header ( it's hosted in cloudflare it doesn't make sense ).
because in geoip.py it gets the name from there. and that header doesn't exist now, tested with curl verbose. I don't know how it was before.
I've forced the name ending in .gz in there so it goes thru the .gzip code instead of the zip code with
filename = "ipinfo_lite.csv.gz"
and it worked.
because in geoip.py it gets the name from there. and that header doesn't exist now, tested with curl verbose. I don't know how it was before.
I've forced the name ending in .gz in there so it goes thru the .gzip code instead of the zip code with
filename = "ipinfo_lite.csv.gz"
and it worked.
Code Select
if url is not None and url.lower().startswith('http'):
# flush data from remote url to temp file and unpack from there
with tempfile.NamedTemporaryFile() as tmp_stream:
try:
r = requests.get(url)
except Exception as e:
syslog.syslog(syslog.LOG_ERR, 'geoip update failed : %s' % e)
return result
if r.status_code == 200:
msg = EmailMessage()
msg["Content-Disposition"] = r.headers.get("Content-Disposition", '')
filename = msg.get_filename()
syslog.syslog(syslog.LOG_NOTICE, 'filename : %s .' % filename)
filename = "ipinfo_lite.csv.gz"
tmp_stream.write(r.content)
tmp_stream.seek(0)
if not filename or filename.lower().endswith('.zip'):
syslog.syslog(syslog.LOG_NOTICE, 'found .zip format, process')
cls.process_zip(tmp_stream, result)
elif filename.endswith('.gz'):
syslog.syslog(syslog.LOG_NOTICE, 'found .gz format, process')
cls.process_gzip(tmp_stream, result)
# dump location hash (detect changes in geoIP source selection)
open(cls._src_hash_file, 'w').write(cls._source_hash())
else:
syslog.syslog(syslog.LOG_ERR,
'geoip update failed : %s [http_code: %s]' % (r.text.replace('\n', ''), r.status_code)
)
