"Recent posts
#81
25.7, 25.10 Series / Re: 25.7.8 Unbound blocklist s...
Last post by OPNenthu - November 30, 2025, 02:05:07 AMWhat happens if you disable the caches?
Advanced->Message Cache Size = 0
Advanced->RRset Cache Size = 0
Advanced->Message Cache Size = 0
Advanced->RRset Cache Size = 0
#82
Zenarmor (Sensei) / Re: Something broke
Last post by ldanna1945 - November 30, 2025, 01:56:28 AMHMMMM Maybe not. IPs won't stay started now
looking at IPS log I get
2025-11-30T00:45:29Errorsuricata[116791] <Error> -- opening devname netmap:igb1-0/R@conf:host-rings=2 failed: Device busy
2025-11-30T00:45:28Warningsuricata[100143] <Warning> -- flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
just did another test. IPS runs if Zenarmor engine is stopped Zenarmor engine runs if IPS is stopped looks like both are trying to use same resource and there is a conflict. Am I in the ball park and do I have to choose one or the other or is there a configuration setting I have wrong or did the update change something?
Ideas?
thanks
Larry
looking at IPS log I get
2025-11-30T00:45:29Errorsuricata[116791] <Error> -- opening devname netmap:igb1-0/R@conf:host-rings=2 failed: Device busy
2025-11-30T00:45:28Warningsuricata[100143] <Warning> -- flowbit 'ET.000webhostpost' is checked but not set. Checked in 2052143 and 0 other sigs
just did another test. IPS runs if Zenarmor engine is stopped Zenarmor engine runs if IPS is stopped looks like both are trying to use same resource and there is a conflict. Am I in the ball park and do I have to choose one or the other or is there a configuration setting I have wrong or did the update change something?
Ideas?
thanks
Larry
#83
Zenarmor (Sensei) / Re: Something broke
Last post by ldanna1945 - November 30, 2025, 01:39:45 AMOk good to know thanks I learned a bit. Note: I enabled the IPS and Zenarmor engine stayed running. I even stopped and restarted the engine and it stayed running. So I guess I am good.
Thanks for the explanation I thought it was some error.
Larry
Thanks for the explanation I thought it was some error.
Larry
#84
25.7, 25.10 Series / Re: 25.7.8 Unbound blocklist s...
Last post by cat2devnull - November 30, 2025, 01:08:29 AMUnfortunately I'm seeing the same effect. Once a domain is cached by a user in a source net that is allowed access. The users from a source net that are blocked can now retrieve a cached request. It seems that source net blocking only blocks recursive DNS not cached DNS. :(
#85
General Discussion / Re: Trouble with VLAN setup on...
Last post by Patrick M. Hausen - November 30, 2025, 12:55:44 AMQuote from: User074357 on November 30, 2025, 12:52:28 AMThis is taking longer than the 60 seconds it gives you to confirm the network connection is working.
You are aware that value is editable? Change it to something more reasonable like 300 before you hit that "Test settings" button.
#86
General Discussion / Re: Trouble with VLAN setup on...
Last post by User074357 - November 30, 2025, 12:52:28 AMUpdate:
It turns out the VLAN takes a while to be up on the TrueNAS side. This is taking longer than the 60 seconds it gives you to confirm the network connection is working. So the settings were reverted before the VLAN was up.
I eventually got it working. It looks like a reboot of the OPNsense machine was also helpful.
It turns out the VLAN takes a while to be up on the TrueNAS side. This is taking longer than the 60 seconds it gives you to confirm the network connection is working. So the settings were reverted before the VLAN was up.
I eventually got it working. It looks like a reboot of the OPNsense machine was also helpful.
#87
General Discussion / Re: TUI for viewing and analys...
Last post by allddd - November 29, 2025, 11:04:15 PMI've added both horizontal scrolling and IP version filtering in v0.3.0.
For now, the IP version filter works in the same way as any other field filter ("field value" syntax). Something like ip4/ip6 is also possible, but I'll look into it later because I have to make some small-ish changes to the filter module first. For docs on IP version filtering see https://gitlab.com/allddd/opnsense-filterlog#filter.
For now, the IP version filter works in the same way as any other field filter ("field value" syntax). Something like ip4/ip6 is also possible, but I'll look into it later because I have to make some small-ish changes to the filter module first. For docs on IP version filtering see https://gitlab.com/allddd/opnsense-filterlog#filter.
#88
Hardware and Performance / Tuneables for Card Controller ...
Last post by schurlix - November 29, 2025, 10:44:28 PMHi, I'd like to contribute those tuneables I found out working for me:
<item uuid="aa63f2d8-e7c4-40dd-8943-39616357f22d">
<tunable>hint.rtsx.0.disabled</tunable>
<value>1</value>
<descr>Card Controller timeouts</descr>
</item>
As well as for my TPLink Ethernet, which sometimes lost its link somehow,
<tunable>hw.usb.quirk.0</tunable>
<value>0x2357 0x0601 0 0xffff UQ_CFG_INDEX_1</value>
<descr>carrier loss on ure</descr>
Does the job also very well.
If anyone from the community can integrate this, would be great! With those settings in place,
my old HP Elitebook serves like a charm ;)
Thank everbody for this awesome piece of technical, community artwork.
yours, schurlix
<item uuid="aa63f2d8-e7c4-40dd-8943-39616357f22d">
<tunable>hint.rtsx.0.disabled</tunable>
<value>1</value>
<descr>Card Controller timeouts</descr>
</item>
As well as for my TPLink Ethernet, which sometimes lost its link somehow,
<tunable>hw.usb.quirk.0</tunable>
<value>0x2357 0x0601 0 0xffff UQ_CFG_INDEX_1</value>
<descr>carrier loss on ure</descr>
Does the job also very well.
If anyone from the community can integrate this, would be great! With those settings in place,
my old HP Elitebook serves like a charm ;)
Thank everbody for this awesome piece of technical, community artwork.
yours, schurlix
#89
25.7, 25.10 Series / Re: Unable to Upgrade to 25.7....
Last post by utkonos - November 29, 2025, 09:19:05 PMThe eventual and successful fix was to do a config backup, fresh install (with ZFS this time), and config import. Clean and fast. A bit longer than 30 minutes but that's because I stopped to eat lunch while OPNsense copied itself to the drive.
Here are a few notes.
I was not able to get the config to read during the import config step during console boot from the USB installer (vga type). I had formatted the USB FAT32 and copied the config downloaded from the GUI to the USB. The installer recognized the da1 USB stick but was not able to find the config.xml.
The installer had difficulty with installing to the disk that still had the old OPNsense UFS partition. I tried a partial dd from /dev/zero, but there is still a secondary GPT table at the end of the disk that you should overwrite with zeros as well. Once all that is gone, the installer works just fine.
Since I could not get the config imported from a USB, I opted to configure just the WAN and LAN interfaces and nothing else. Once the install finished, I was able to connect a laptop to the LAN port and get to the default DHCP network and GUI. From there, importing the config via GUI worked flawlessly. After import and reboot, everything was back to normal and I was then able to perform the update that wasn't working in the first place.
Here are a few notes.
I was not able to get the config to read during the import config step during console boot from the USB installer (vga type). I had formatted the USB FAT32 and copied the config downloaded from the GUI to the USB. The installer recognized the da1 USB stick but was not able to find the config.xml.
The installer had difficulty with installing to the disk that still had the old OPNsense UFS partition. I tried a partial dd from /dev/zero, but there is still a secondary GPT table at the end of the disk that you should overwrite with zeros as well. Once all that is gone, the installer works just fine.
Since I could not get the config imported from a USB, I opted to configure just the WAN and LAN interfaces and nothing else. Once the install finished, I was able to connect a laptop to the LAN port and get to the default DHCP network and GUI. From there, importing the config via GUI worked flawlessly. After import and reboot, everything was back to normal and I was then able to perform the update that wasn't working in the first place.
#90
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Monviech (Cedrik) - November 29, 2025, 09:17:34 PMYeah it seems like my assumption was wrong it fell back after not getting an answer:
Vlan:
21:15:23.740664 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > 2003:180:2:7000::53.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.741343 IP 172.16.1.150.52057 > 172.16.1.1.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.751291 IP 172.16.1.1.53 > 172.16.1.150.52057: 54276 2/0/0 CNAME ipv6.l.google.com., AAAA 2a00:1450:4016:800::200e (92)
Loopback doesnt respond:
21:15:23.740672 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > ::1.53: 54276+ AAAA? ipv6.google.com. (33)
Good to know, sorry xD
Vlan:
21:15:23.740664 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > 2003:180:2:7000::53.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.741343 IP 172.16.1.150.52057 > 172.16.1.1.53: 54276+ AAAA? ipv6.google.com. (33)
21:15:25.751291 IP 172.16.1.1.53 > 172.16.1.150.52057: 54276 2/0/0 CNAME ipv6.l.google.com., AAAA 2a00:1450:4016:800::200e (92)
Loopback doesnt respond:
21:15:23.740672 IP6 2003:a:177f:8463:b40e:4343:1cc8:df32.54262 > ::1.53: 54276+ AAAA? ipv6.google.com. (33)
Good to know, sorry xD
