"Recent posts
#31
General Discussion / Re: VLANs with multiple switch...
Last post by strangerinusall - Today at 06:15:09 AMQuote from: nero355 on March 27, 2026, 03:04:15 PMGood to know! Thnx! :)
Is this now A or B ?
The whole 'Administrative VLANs vs. Operational VLANs' thing still seems to have no exact purpose by the looks of it ?!
This is for B, but A has similar config just on different ports (e.g. B's port 7 = A's port 2, B's port 1 = A's port 8).
Regarding administrative vs operational, as far as I understand, admin ones are what you define in the config, and operational is based on who actually is a member of those VLAN. I didn't really test this part so I am not fully certain how it works. I just know that if in GUI Admin VLAN does not match Op. VLAN usually my setup is not working. So maybe it's used to indicate when you have issues in your config. E.g. You set X, but that's not happening based on your current setup (aka Operational VLAN), meaning something is not correctly set up.
#32
26.1 Series / Rule ID format affecting Secur...
Last post by Waldhaar_ - Today at 05:38:35 AMBLUF: Built in rules have no dashes ("-") in the Rule ID (e.g., 02f4bab031b57d1e30553ce08e0ec131) and Security Onion (Elastic) seems to parse these events fine. User created rules do have dashes (e.g., 0be7d07b-1e80-47ff-8ff8-8e553095d4e5) and Security Onion (Elastic) seems unable to parse any of these rules.
Have been trying to configure my church's OPNsense to send filter logs to our instance of Security Onion. Church was previously using pfsense and filter logs were working. Elastic uses the same integration for both OPNsense and pfsense, so initially ruled out an issue with the configuration on Security Onion. That said, I was seeing the following error: "Provided Grok expressions do not match field value". Conjured up my best SearchFu but couldn't find anything definitive. The Elastic integration for OPNsense/pfsense seems well maintained so it seemed odd that it couldn't handle OPNsense's input.
So, i pointed my home instance of OPNsense to the Church's Security Onion (networks are connected via Wireguard, and are running exact same hardware and versions of OPNsense) and it seemed like the logs from home worked fine. However, eventually, I did find some from home that weren't being parsed (same error) and some from church that were parsed fine.
I copied the original messages of both good and bad events to compare and could find only one difference; the presence of dashes in the Rule ID. All events with dashes in the Rule ID failed to parse and all events with no dashes parse fine. As far as I can tell, all built-in rules are dash free and all user created rules use dashes. Turns out, for my home instance, I don't have explicit deny rules on each interfaces (using the built in one) whereas the church does have explicit deny rules per interface. This is why, I think, most events from my home instance worked and most from the church did not.
So, anyone else using Security Onion seeing the same thing? I am also curious why the difference in formats for Rule IDs.
Have been trying to configure my church's OPNsense to send filter logs to our instance of Security Onion. Church was previously using pfsense and filter logs were working. Elastic uses the same integration for both OPNsense and pfsense, so initially ruled out an issue with the configuration on Security Onion. That said, I was seeing the following error: "Provided Grok expressions do not match field value". Conjured up my best SearchFu but couldn't find anything definitive. The Elastic integration for OPNsense/pfsense seems well maintained so it seemed odd that it couldn't handle OPNsense's input.
So, i pointed my home instance of OPNsense to the Church's Security Onion (networks are connected via Wireguard, and are running exact same hardware and versions of OPNsense) and it seemed like the logs from home worked fine. However, eventually, I did find some from home that weren't being parsed (same error) and some from church that were parsed fine.
I copied the original messages of both good and bad events to compare and could find only one difference; the presence of dashes in the Rule ID. All events with dashes in the Rule ID failed to parse and all events with no dashes parse fine. As far as I can tell, all built-in rules are dash free and all user created rules use dashes. Turns out, for my home instance, I don't have explicit deny rules on each interfaces (using the built in one) whereas the church does have explicit deny rules per interface. This is why, I think, most events from my home instance worked and most from the church did not.
So, anyone else using Security Onion seeing the same thing? I am also curious why the difference in formats for Rule IDs.
#33
Hardware and Performance / Re: Throughput on WAN took a n...
Last post by BrandyWine - Today at 05:04:46 AMIf there were no specific sysctl settings that may have got wipes during updates, then things are most likely still all the same, which then leans an issue on the modem side.
But, iperf will be the goto tool to verify.
I will also note, with some recent work not related to OPNsense, PPS and Throughput are two very different things, so testing net load from those two angles is a better view of things.
Recommended Sysctl Offloading Settings for i226 NIC on FreeBSD
To optimize the performance of the i226 NIC on FreeBSD, you can adjust several sysctl settings. Below are the recommended configurations:
Key Sysctl Settings
Setting Value Description
net.isr.dispatch "deferred" Improves performance by allowing deferred processing of interrupts.
hw.ix.flow_control "0" Disables flow control to enhance throughput.
hw.ix.max_interrupt_rate Increase to 20000 Raises the maximum interrupt rate for better performance.
But, iperf will be the goto tool to verify.
I will also note, with some recent work not related to OPNsense, PPS and Throughput are two very different things, so testing net load from those two angles is a better view of things.
Recommended Sysctl Offloading Settings for i226 NIC on FreeBSD
To optimize the performance of the i226 NIC on FreeBSD, you can adjust several sysctl settings. Below are the recommended configurations:
Key Sysctl Settings
Setting Value Description
net.isr.dispatch "deferred" Improves performance by allowing deferred processing of interrupts.
hw.ix.flow_control "0" Disables flow control to enhance throughput.
hw.ix.max_interrupt_rate Increase to 20000 Raises the maximum interrupt rate for better performance.
#34
General Discussion / Re: Crashing after upgrading t...
Last post by newsense - Today at 04:52:05 AMYou can start by posting a health check and the output of this command
Code Select
ls -ltrh /var/crash/ #35
Development and Code Review / Re: Dashboard change request
Last post by drosophila - Today at 04:39:09 AMQuote from: Netlearn on Today at 02:50:46 AMProbably, your widget is one-column width. Try expanding it to two columns. That works for me.That was it, thanks! The issue was that I expected it to auto-expand when moved to a wide column but it wouldn't so I assumed that it just won't. Instead, you have to manually drag the border to resize it. :) Still not great for IPv6 because the address is not entirely visible, and the most important part (the suffix) is outside the display area unless I widen it even more. Either IPv6 addresses need the entire width, or the address needs to be linebroken like the gateway watcher does. Thanks for considering! :)
#36
25.7, 25.10 Series / Re: What is the official migra...
Last post by SecAficionado - Today at 03:42:38 AMSorry if it's bad form to revive an old thread. Please let me know and I can start a new one, but I thought this would be relevant here:
I migrated to Kea from ISC. It wasn't super smooth, but I was trying to do multiple things at once. I introduced VLANs to my network and had more static assignments hard-coded in servers and devices than I realized. It took a couple of days to sort everything out, but I like the new setup, seems pretty stable.
The question now is, I removed the ISC DHCP plugin and there was a warning about manually removing the dhcp user and group. Is that recommended? I would rather clean up if they are not doing anything anymore, but after being part of the system for years, it may not be wise.
Thanks in advance for your help!
I migrated to Kea from ISC. It wasn't super smooth, but I was trying to do multiple things at once. I introduced VLANs to my network and had more static assignments hard-coded in servers and devices than I realized. It took a couple of days to sort everything out, but I like the new setup, seems pretty stable.
The question now is, I removed the ISC DHCP plugin and there was a warning about manually removing the dhcp user and group. Is that recommended? I would rather clean up if they are not doing anything anymore, but after being part of the system for years, it may not be wise.
Thanks in advance for your help!
#37
26.1 Series / Re: Private IP PPPOE -OPNSense...
Last post by nicholaswkc - Today at 03:36:36 AMWell, Today it able to ping any machine and able to browse interne again. So strange.
#38
Hardware and Performance / Re: Throughput on WAN took a n...
Last post by sopex8260 - Today at 03:10:14 AMQuote from: nullspace on Today at 02:09:43 AMLight work day and spent it going down a rabbit hole
got iperf working, I tested the LAN side that has a 10GB SFP+ X553 DAC into my switch. Looks like I'm getting full bandwidth there. So started to really look hard at the I226-V which connects directly to the modem. After looking the interface:Code Selectigc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN (wan) options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG> ether 20:7c:14:f4:3c:51 inet 73.18.207.231 netmask 0xfffffe00 broadcast 255.255.255.255 inet6 fe80::227c:14ff:fef4:3c51%igc1 prefixlen 64 scopeid 0x5 inet6 2001:558:6007:b6:7117:e650:28b1:f71b prefixlen 128 pltime 202602 vltime 202602 media: Ethernet 2500Base-T (2500Base-T <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Confirming my:
-IDS is off
-Shaper Rules: None
-No spike on a single cpu when under load (Code Selecttop -aSH)
-checked counters for errors or anything obviousCode Selectnetstat -i-looked for any kill statesCode Selectpfctl -F state- looked throughCode Selectsysctl -a | grep dev.igc.1.mac_statsfor anything that might stick out
Looked through dmesg:Code Selectdmesg | grep -i igc
for resets, watchdog events, link renegotiations, DMA/ring issues
started to think I needed to look at the threads on the forum about i-226V
I was running NVM version 2.14 ... so I'm updating to 2.32 tonight. successfully updated a couple of the spare NICs already. but not seeing a speed improvement when move my WAN port over to an updated one... though I might be getting them mixed up between the proxmox and opensense. I have failover WAN port that I also use and maintenance por.
For the fun of it, have you tried speed testing directly from the proxmox?
#39
Development and Code Review / Re: Dashboard change request
Last post by Netlearn - Today at 02:50:46 AMProbably, your widget is one-column width. Try expanding it to two columns. That works for me.
#40
26.1 Series / Re: Upgrade Completely Broke S...
Last post by Netlearn - Today at 02:44:17 AMSnapshots must be made by the user, they are not automatic. Fairly easy to use and a real lifesaver when things go wrong.
As long as 25.7.11_9 is running fine, hardware issues are unlikely. Nevertheless, if your system has some time, as it appears to be, I would test memory and storage (either hdd or ssd), just to rule that out.
There are mentions to Python 3.13 in this post. OPNsense has this package already upgraded in newer 26.x versions, and it seems that it's still pending in mimugmail repo. I don`t know if that could be an issue, but it seems relevant to me: os-homeassistant-maxit working with an older version than installed when you reach OPNsense 26.x with the newest Python version installed could break things.
As long as 25.7.11_9 is running fine, hardware issues are unlikely. Nevertheless, if your system has some time, as it appears to be, I would test memory and storage (either hdd or ssd), just to rule that out.
There are mentions to Python 3.13 in this post. OPNsense has this package already upgraded in newer 26.x versions, and it seems that it's still pending in mimugmail repo. I don`t know if that could be an issue, but it seems relevant to me: os-homeassistant-maxit working with an older version than installed when you reach OPNsense 26.x with the newest Python version installed could break things.
