"Recent posts
#31
Web Proxy Filtering and Caching / Simple migration from host + c...
Last post by Singman - Today at 08:55:57 AMHi,
I have the following configuration working perfectly:
- two firewall rules that redirect ports 80/443 to a "proxy" host
- caddy configured on "proxy" which redirects to multiple hosts depending on the URL.
I want to transfer this configuration to the caddy OpnSense plugin. Following the documentation, I created the configuration and deleted the firewall rules, but the plugin is unable to retrieve the certificates. This is strange because in the previous configuration, Caddy retrieved the certificate directly from the destination and didn't attempt to obtain a new one from Let's Encrypt.
Old config
OPNSense config
I have the following configuration working perfectly:
- two firewall rules that redirect ports 80/443 to a "proxy" host
- caddy configured on "proxy" which redirects to multiple hosts depending on the URL.
I want to transfer this configuration to the caddy OpnSense plugin. Following the documentation, I created the configuration and deleted the firewall rules, but the plugin is unable to retrieve the certificates. This is strange because in the previous configuration, Caddy retrieved the certificate directly from the destination and didn't attempt to obtain a new one from Let's Encrypt.
Old config
Code Select
jeu.ericdelcamp.fr {
reverse_proxy web3.domain.lan {
header_up Host {upstream_hostport}
}
}OPNSense config
Code Select
http://jeu.ericdelcamp.fr {
handle /.well-known/acme-challenge/* {
reverse_proxy web3.domain.lan
}
handle {
redir https://{host}{uri} 308
}
}Code Select
jeu.ericdelcamp.fr {
handle {
reverse_proxy https://web3.domain.lan {
}
}
} #32
25.7 Series / inconsistencies in the interfa...
Last post by norse - Today at 08:27:30 AMHi all,
the other day I installed OPNsense 25.7 (later updated to 25.7.2) on a Sophos SG 135 rev 2. Everything went fine until I tried to connect to the web gui, which wouldn't be possible, since the network ports on the Sophos showed "no carrier", even when cables where plugged in (see picture x.jpg). Neither was it possible to connect via the WAN interface (after a pfctl -d).
LAN was configured to be igb0, and WAN to be igb1 (this assignment is also shown in the picture). The indicator lamps on the SG 135 showed both "Link" and "activity" for "eth0/LAN" and "eth1/WAN" when cables where connected.
I looked a while for problems with those two interfaces, but came to no solution until I found out that in reality igb4 had to be used for LAN and igb5 for WAN.
That raises 2 questions:
1. Why does OPNsense assign the tags/description "LAN" and "WAN" to igb0 and igb1 (and not to igb4 and igb5), when obviously those are not the correct ports for LAN and WAN?
2. Is there a way to rename the ports, so that igb0 is really LAN and igb1 is really WAN ?
Norse
the other day I installed OPNsense 25.7 (later updated to 25.7.2) on a Sophos SG 135 rev 2. Everything went fine until I tried to connect to the web gui, which wouldn't be possible, since the network ports on the Sophos showed "no carrier", even when cables where plugged in (see picture x.jpg). Neither was it possible to connect via the WAN interface (after a pfctl -d).
LAN was configured to be igb0, and WAN to be igb1 (this assignment is also shown in the picture). The indicator lamps on the SG 135 showed both "Link" and "activity" for "eth0/LAN" and "eth1/WAN" when cables where connected.
I looked a while for problems with those two interfaces, but came to no solution until I found out that in reality igb4 had to be used for LAN and igb5 for WAN.
That raises 2 questions:
1. Why does OPNsense assign the tags/description "LAN" and "WAN" to igb0 and igb1 (and not to igb4 and igb5), when obviously those are not the correct ports for LAN and WAN?
2. Is there a way to rename the ports, so that igb0 is really LAN and igb1 is really WAN ?
Norse
#33
General Discussion / Adding Sophos SG230 (Rev.1 wit...
Last post by pan07gaz94 - Today at 08:15:23 AM
Hello everyone ,
I currently have an Omada-based network setup and I would like to integrate a Sophos SG230 Rev.1 running OPNsense.
My goal is to route specific VLANs through OPNsense while keeping the rest of the setup functional.
I've attached a diagram showing the current setup and how the new hardware is intended to be connected.
I would really appreciate guidance on:
• Proper connectivity between the devices
• VLAN configuration and passthrough setup
• Recommended OPNsense and Omada settings for this scenario
Hardware in use:
• Router: ER7602
• Switch: SG3428
Thank you in advance for your help!
#34
25.1, 25.4 Series / Re: IPv6 not functional (Spect...
Last post by franco - Today at 08:03:17 AMThanks for the follow up. Yes, making the WAN side work should bring it back for the clients too. Good luck.
Cheers,
Franco
Cheers,
Franco
#35
25.7 Series / Re: SOLVED - 25.7.2 shadowsock...
Last post by franco - Today at 08:01:00 AMWhat amazes me is that this stuff wasn't touched for years and apparently used successfully. Now there's an upstream change breaking this intermittently and suddenly "other" issues appear, because "others" have "similar" issues that they post about. 95% of the time these posts correlate with people updating (also likely including a reboot).
Now with that cleared:
If you suspect the config is not written correctly check the config files first. Make sure you applied the changes so that the service can rewrite the config and restart itself. Make sure you check the right file. Make sure that when it's not changing you remove the config file and hit apply to see if a new file is created at all.
If all these are still leading to a file that is wrong check the values filled out by the template, maybe they are filling out the wrong value or you filled out the wrong value perhaps.
None of this is magic. Starting at the "it doesn't do it" end is tedious to start helping when literally anything (including nothing) could be wrong.
So... where are we at?
Cheers,
Franco
Now with that cleared:
If you suspect the config is not written correctly check the config files first. Make sure you applied the changes so that the service can rewrite the config and restart itself. Make sure you check the right file. Make sure that when it's not changing you remove the config file and hit apply to see if a new file is created at all.
If all these are still leading to a file that is wrong check the values filled out by the template, maybe they are filling out the wrong value or you filled out the wrong value perhaps.
None of this is magic. Starting at the "it doesn't do it" end is tedious to start helping when literally anything (including nothing) could be wrong.
So... where are we at?
Cheers,
Franco
#36
General Discussion / Port forwarding through WireGu...
Last post by xstaford - Today at 07:53:29 AMHi,
I'm struggling with port forwarding through WireGuard.
Totally i have 3 conected to each other opnsense and all subnets are fully accessible from each other.
Each office is connected via a separate instance-peer setup, so each WG instance has its own interface.
I am trying to port forward from wan opnsenseA to lan opnsenseB but it only works from the OpnsenseA local networks.
I tried adding a reply-to gateway of the WG interface for Wan rule, but that didn't help either. Maybe I misconfigured the gateway for WireGuard?
( ip of WG instance of opnsenseA (tried B also), monitor ip is lan ip of opnsenseB) opnsenseB has a dynamic Wan ip.
OpnsenseA logs show that everything is working as expected.
Meanwhile, OpnsenseB shows nothing at all...
However, if I try accessing the WAN from the LAN network of OpnsenseA, both OpnsenseA and OpnsenseB logs show activity.
The logs of opnsenseB
Any ideas what I might be missing?
And second question how to debug it? How to check traffic flow to understand what is going wrong?
I'm struggling with port forwarding through WireGuard.
Totally i have 3 conected to each other opnsense and all subnets are fully accessible from each other.
Each office is connected via a separate instance-peer setup, so each WG instance has its own interface.
I am trying to port forward from wan opnsenseA to lan opnsenseB but it only works from the OpnsenseA local networks.
I tried adding a reply-to gateway of the WG interface for Wan rule, but that didn't help either. Maybe I misconfigured the gateway for WireGuard?
( ip of WG instance of opnsenseA (tried B also), monitor ip is lan ip of opnsenseB) opnsenseB has a dynamic Wan ip.
OpnsenseA logs show that everything is working as expected.
Meanwhile, OpnsenseB shows nothing at all...
However, if I try accessing the WAN from the LAN network of OpnsenseA, both OpnsenseA and OpnsenseB logs show activity.
The logs of opnsenseB
Any ideas what I might be missing?
And second question how to debug it? How to check traffic flow to understand what is going wrong?
#37
25.7 Series / Re: Issue to reach Website hos...
Last post by Madifor - Today at 07:19:32 AMWhat I am trying to figure out , why I am unable to reach the website using the public dns entry which points to IPS1-WAN IP when (default) traffic is routed to the internet using ISP2. When I enter for example webserver.mydoain as url in the browser, on the firewall I see that the request received on Wan1 interfac. The port forwarding is also happening (initial it goes to a (reverse-)web proxy and from their traffic reaches the correct webserver (based on the URL). My suspision is that it is caused by the fact that WANIPof ISP2 connection is on one of the other interfaces and then gets lost... I have trouble in this part of trouleshooting.. the packet capture feature doesn't give me a direction where to find the solution so. Hopefully some one does know which mistakes I make in my thinking / troubleshooting process.
So just to be clear when I restore the original setup where I also use the provided isp device to connect to the GXS-pon terminal(media converter)
So just to be clear when I restore the original setup where I also use the provided isp device to connect to the GXS-pon terminal(media converter)
#38
25.7 Series / Re: After upgrade from 25.1.12...
Last post by BrandyWine - Today at 06:08:10 AM@rainerle
Your x722 is many/few revs behind.
You are currently at NVM 4.00 (software 23.4 or 23.5.2), which is just about dead middle of the Intel versions available.
The latest for x722 is from software 30.1.0.1 with NVM 6.50
Matrix here --> https://cdrdv2.intel.com/v1/dl/getContent/336882
In the features matrix you can see there's not much new from old stuff to new, mostly virtualization stuff. Well, it doesn't actually says if any issues for any feature was fixed, it's just a feature matrix, etc.
Here's the crux, Intel revision 3.5 is dated June 3 2025, freeBSD v14.3 release is dated June 10 2025, the Intel doc does not list freeBSD v14.3 as supported, but shows 14.1 for latest v14.x. EDIT: see below for the 30.4 Intel release info.
My guess is, the ixl kernel driver in freeBSD 14.3 should be ok, but it appears to not be validated by Intel (see notes about 30.4)
Upgrading NVM would be for two reasons:
1) needing a newer feature
2) possibly fixing issues (of which is not mentioned in the Intel doc)
For best possible function with less probability for errors, make sure the sfp's are "Intel validated".
See the bsd doc for ethernet/driver support --> https://www.freebsd.org/releases/14.3R/hardware/#ethernet
Since the bsd 14.3 doc does say ixl supports Intel 700 series, I think it's ok as long as the SFP's are Intel type, which your outputs appear to show.
The only caveat is, where did you get those Intel SFP's? Years ago I had issue with cisco switch gear that only played nice with real cisco SFP's, and the ones we got reported as "cisco" but were actual grayware that got into supply chain. Vendor got us new SFP's from another supply chain line and then all was good. This however was just turning up the SFP in a specific fiber mode.
All that said, the only eye-catcheris that the Intel doc does not list freeBSD v14.3 as supported, but the bsd docs seems to say ixl is good to go.
Is there something in the 14.3 ixl driver that is not playing nice with your older NVM? Possibly so. There's no matrix I can find that does back-versioning validation.
EDIT: So if you select latest release 30.4 and hit DOWNLOAD button (https://www.intel.com/content/www/us/en/content-details/778690/intel-ethernet-controller-products-release-notes.html) you get the 30.4 release notes, it lists 700 series and freeBSD 14.3 as supported. However, I downloaded the 30.4 bundle (900MB zip file) and I don't see x722 in it.
Note: The 30.4 doc mentions 700 series, no new NVM. NVM 6.5 is the latest and from what I can see, no changes to x722 between 30.1.0.1 and 30.4, other than 30.4 says freeBSD 14.3 is supported:
2.2 Intel® Ethernet 700 Series Network Adapters
2.2.1 Firmware/NVM/NVM Update
• None in this release
Note: The only "known issues" I see are notes around the 710, nothing for the x722.
Another oddity is, Intel docs are not 100%. Release notes list x722 as being in the Intel 30.1.0.1 download bundle, but when I open that bundle I don't find x722, I only see the 710 for 700 series.
bsd 14.3 reference: https://www.freebsd.org/releases/14.3R/announce/
Intel
https://www.intel.com/content/www/us/en/content-details/853125/intel-ethernet-controller-products-release-notes.html
30.1.0.1 bundle --> https://downloadmirror.intel.com/856143/Release__30.1.0.1.zip
30.4 bundle --> https://downloadmirror.intel.com/863589/Release_30.4.zip
Neither bundle has any x722 stuff, just 710. Makes me wonder if x722 is an integrator only item?
Also, Intel device ID 0x37d3 (dec 170) I can't find just yet. It's reporting vendor=0x8086 which is ID for Intel.
Your x722 is many/few revs behind.
You are currently at NVM 4.00 (software 23.4 or 23.5.2), which is just about dead middle of the Intel versions available.
The latest for x722 is from software 30.1.0.1 with NVM 6.50
Matrix here --> https://cdrdv2.intel.com/v1/dl/getContent/336882
In the features matrix you can see there's not much new from old stuff to new, mostly virtualization stuff. Well, it doesn't actually says if any issues for any feature was fixed, it's just a feature matrix, etc.
My guess is, the ixl kernel driver in freeBSD 14.3 should be ok, but it appears to not be validated by Intel (see notes about 30.4)
Upgrading NVM would be for two reasons:
1) needing a newer feature
2) possibly fixing issues (of which is not mentioned in the Intel doc)
For best possible function with less probability for errors, make sure the sfp's are "Intel validated".
See the bsd doc for ethernet/driver support --> https://www.freebsd.org/releases/14.3R/hardware/#ethernet
Since the bsd 14.3 doc does say ixl supports Intel 700 series, I think it's ok as long as the SFP's are Intel type, which your outputs appear to show.
The only caveat is, where did you get those Intel SFP's? Years ago I had issue with cisco switch gear that only played nice with real cisco SFP's, and the ones we got reported as "cisco" but were actual grayware that got into supply chain. Vendor got us new SFP's from another supply chain line and then all was good. This however was just turning up the SFP in a specific fiber mode.
All that said, the only eye-catcher
Is there something in the 14.3 ixl driver that is not playing nice with your older NVM? Possibly so. There's no matrix I can find that does back-versioning validation.
EDIT: So if you select latest release 30.4 and hit DOWNLOAD button (https://www.intel.com/content/www/us/en/content-details/778690/intel-ethernet-controller-products-release-notes.html) you get the 30.4 release notes, it lists 700 series and freeBSD 14.3 as supported. However, I downloaded the 30.4 bundle (900MB zip file) and I don't see x722 in it.
Note: The 30.4 doc mentions 700 series, no new NVM. NVM 6.5 is the latest and from what I can see, no changes to x722 between 30.1.0.1 and 30.4, other than 30.4 says freeBSD 14.3 is supported:
2.2 Intel® Ethernet 700 Series Network Adapters
2.2.1 Firmware/NVM/NVM Update
• None in this release
Note: The only "known issues" I see are notes around the 710, nothing for the x722.
Another oddity is, Intel docs are not 100%. Release notes list x722 as being in the Intel 30.1.0.1 download bundle, but when I open that bundle I don't find x722, I only see the 710 for 700 series.
bsd 14.3 reference: https://www.freebsd.org/releases/14.3R/announce/
Intel
https://www.intel.com/content/www/us/en/content-details/853125/intel-ethernet-controller-products-release-notes.html
30.1.0.1 bundle --> https://downloadmirror.intel.com/856143/Release__30.1.0.1.zip
30.4 bundle --> https://downloadmirror.intel.com/863589/Release_30.4.zip
Neither bundle has any x722 stuff, just 710. Makes me wonder if x722 is an integrator only item?
Also, Intel device ID 0x37d3 (dec 170) I can't find just yet. It's reporting vendor=0x8086 which is ID for Intel.
#39
General Discussion / Re: Limit Unifi Software Contr...
Last post by OPNenthu - Today at 05:34:27 AMFor convenience, I sometimes use the ShieldsUp! tool from GRC to initiate port scans on my public IP: https://www.grc.com/shieldsup
You can use the "User Specified Custom Port Probe" option to scan your ports 6789, 8080, 8443 and any others.
IMHO the self-hosted UniFi controller (especially with a local account) could be tamed even more for home internet users. It likes to send telemetry and usage data which is fine for organizations, but I don't want it on my private network. If you feel the same you can optionally add these to your DNS blocklist until such time that Ubiquiti gives us a proper way to disable it.
And yes, these domains are queried despite that I have the Analytics option unchecked in Settings. Apparently unchecking that only anonymizes the data, based on some Reddit reports. That unnecessarily sets up the conditions for a trust issue and I wish they would just fix it.
You can use the "User Specified Custom Port Probe" option to scan your ports 6789, 8080, 8443 and any others.
IMHO the self-hosted UniFi controller (especially with a local account) could be tamed even more for home internet users. It likes to send telemetry and usage data which is fine for organizations, but I don't want it on my private network. If you feel the same you can optionally add these to your DNS blocklist until such time that Ubiquiti gives us a proper way to disable it.
Code Select
trace.svc.ui.com
crash-report-service.svc.ui.com
And yes, these domains are queried despite that I have the Analytics option unchecked in Settings. Apparently unchecking that only anonymizes the data, based on some Reddit reports. That unnecessarily sets up the conditions for a trust issue and I wish they would just fix it.
#40
General Discussion / Failover WAN and wanting to ac...
Last post by plm - Today at 05:33:14 AMI've seen a number of examples of how to route traffic to a cable modem web UI when it's on a different subnet than the DHCP network it is providing, and that works fine for me.
The troube is, I have the same type of setup on my 5G failover modem, which I don't want to pass traffic across unless the cable modem circuit is down, and I'm struggling to find the right way to configure each of the interfaces so I can route traffic to the respective web UIs, but have the internet connection properly identified as up or down, and have the secondary link only pass any traffic in a failver scenario.
Does anyone have any posts, documentation, or other pointers I can look at for how to most effectively set this up?
Thanks.
The troube is, I have the same type of setup on my 5G failover modem, which I don't want to pass traffic across unless the cable modem circuit is down, and I'm struggling to find the right way to configure each of the interfaces so I can route traffic to the respective web UIs, but have the internet connection properly identified as up or down, and have the secondary link only pass any traffic in a failver scenario.
Does anyone have any posts, documentation, or other pointers I can look at for how to most effectively set this up?
Thanks.
