"Recent posts
#81
General Discussion / Re: Where is TCP processed - C...
Last post by OPNenthu - Today at 12:07:05 PMUnderstood, although there might be a reason why Protectli found that ASPM must be disabled globally rather than disabling it on a per-device basis with PCI sysctls. Usually you don't use the nuclear option unless there's a reason, but who knows.
#82
General Discussion / Re: subdomains / haproxy not w...
Last post by Patrick M. Hausen - Today at 11:57:07 AMYou need to whitelist your internal addresses.
Either with this parser:
https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/whitelists
or manually following the documentation:
https://doc.crowdsec.net/u/getting_started/post_installation/whitelists/
Either with this parser:
https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/whitelists
or manually following the documentation:
https://doc.crowdsec.net/u/getting_started/post_installation/whitelists/
#83
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by meyergru - Today at 11:56:43 AMI neither use the business edition nor have I monitored the size of the Ipinfo database over time. I use it with the community edition and for me, it works:
Seems like there is some kind of extraction process from the Ipinfo CSV that failed to generate all entries, maybe because of a subtle syntax error in the CSV. For example, I find this line inside the CSV:
Note the multiple quotes. Also, there are missing ASNs in some lines. So maybe this is a parsing error within OpnSense code, but probably in the business edition only?
Code Select
# wc /usr/local/share/GeoIP/alias/BE-IPv?
9736 9736 158563 /usr/local/share/GeoIP/alias/BE-IPv4
24323 24323 566429 /usr/local/share/GeoIP/alias/BE-IPv6
34059 34059 724992 total
# fgrep ,BE, ipinfo_lite.csv | wc
34059 64340 2112133
Seems like there is some kind of extraction process from the Ipinfo CSV that failed to generate all entries, maybe because of a subtle syntax error in the CSV. For example, I find this line inside the CSV:
Code Select
2a14:3d02::/35,Belgium,BE,Europe,EU,AS57234,"LLC ""IT NETWORKS CHAT""",ichatua.com.ua
Note the multiple quotes. Also, there are missing ASNs in some lines. So maybe this is a parsing error within OpnSense code, but probably in the business edition only?
#84
General Discussion / Re: Where is TCP processed - C...
Last post by chemlud - Today at 11:47:48 AM@OPNenthu Thanks for reading, yes, ASPM and offloading are apparently off the list at that point.
EEE (enabled, but apparently "inactive", see above) and the "wrong" driver (8169, which works perfectly on another Tumbleweed with old ATOM CPU with legacy BIOS and Realtek 8168 hardware, btw...) are on the list.
Not much left, apparently...
EEE (enabled, but apparently "inactive", see above) and the "wrong" driver (8169, which works perfectly on another Tumbleweed with old ATOM CPU with legacy BIOS and Realtek 8168 hardware, btw...) are on the list.
Not much left, apparently...
#85
General Discussion / Re: subdomains / haproxy not w...
Last post by kasperski1868 - Today at 11:44:02 AMFound the issue: I installed crowdsec recently .. this seems to be the culprit. Guess I' ll have to learn some more about that one before I turn it on again. Thanks!
#86
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by DEC740airp414user - Today at 11:42:53 AMQuote from: meyergru on January 20, 2026, 10:00:17 PMAFAIK, the business edition uses IPinfo per default, if not configured otherwise.
i noticed the numbers(addresses) decreased in total by about 10k. is this the reason why those numbers changed so much?
within the last month. maybe 2?
#87
General Discussion / Re: Where is TCP processed - C...
Last post by OPNenthu - Today at 11:35:46 AMIt will be interesting if ASPM with coreboot is the culprit, as there is a very similar issue affecting a particular Protectli device: https://protectli.com/news/vp2440-coreboot-issue/
So that may not be limited to just Realtek NICs. It could be an issue with coreboot handling of ASPM.
(EDIT: I saw that @chemlud's PCI link has ASPM disabled already, so am not sure if this still applies. The Protectli work-around is to disable ASPM altogether at the OS level until a coreboot update is available.)
So that may not be limited to just Realtek NICs. It could be an issue with coreboot handling of ASPM.
(EDIT: I saw that @chemlud's PCI link has ASPM disabled already, so am not sure if this still applies. The Protectli work-around is to disable ASPM altogether at the OS level until a coreboot update is available.)
#88
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by jfou1987 - Today at 10:53:37 AMQuote from: franco on January 20, 2026, 10:06:41 PMI've asked IPinfo to take a look. Also make sure the maximum table entries value is not too small.
Cheers,
Franco
Of course, i'm only at 3%
#89
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by jfou1987 - Today at 10:48:37 AMQuote from: sopex8260 on January 20, 2026, 09:57:01 PMMaxmind or IPinfo? Anyway, this is not an opnsense issue :( It must be reported to the provider.
I already get in touch with Robert at Decisio about that specific issue.
I downloaded the Belgian white liste, it contains almost only IP V6.
Only some V4, but as the list is in alphanumerical order, i can see, nothing more after 5.x.x.x is listed ...
Take a look : https://uploadnow.io/f/Qzn9R5G
#90
German - Deutsch / Re: Merkwürdiges Verhalten der...
Last post by s.meier68 - Today at 10:28:02 AMWelches Netz haben denn die OpenVPN Clients und wohin wird das geroutet? Zum OpenVPN-Server? Welche IP hat der? Was für ein Netz ist 192.168.1.x und wohin wird das geroutet. Ist das Netz 10.130.0.0/20 euer internes Netz für Clients und Server? Welche IP haben die Mailserver?
Nimm gerne andere IP Adressen als eure orginalen, aber um Tipps geben zu können müssen die IP-Adressen zumindest die Struktur abbilden
edit: TAP-Device, also "enden" die Clients direkt im am OpenVPN-Server angeschlossenen Netz. Was für IP's bekommen dann die Clients? Was meinst Du mit virtuelle?
Nimm gerne andere IP Adressen als eure orginalen, aber um Tipps geben zu können müssen die IP-Adressen zumindest die Struktur abbilden
edit: TAP-Device, also "enden" die Clients direkt im am OpenVPN-Server angeschlossenen Netz. Was für IP's bekommen dann die Clients? Was meinst Du mit virtuelle?
