Recent posts

#81
25.7, 25.10 Series / Re: Weird errors after update ...
Last post by mkuech - November 29, 2025, 10:37:37 AM
I found this thread after the update to 25.7 appeared to leave my system in a semi-broken state. It ran after the 25.7 update, but like the others, it wasn't able to update past that. I attempted the bootstrap, but something about that bricked my install.

I then downloaded the latest vga image and performed a fresh install from usb, which started me out on 25.7. The first time, the pkg db was corrupted after attempting to install the realtek plugins from the console (my lan interface requires it). Instead of trying to deal with that, I just started the installation process all over again. The second time, I did that realtek step manually in the live environment via console, and performed the installation with the opnsense-installer command.

It's now up again, however, it won't update past that, just like before... which is unfortunate, because a couple plugins are demanding an update.

And yes, N100 here too.

The most recent output from the "Updates" tab:
***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7 (amd64) at Sat Nov 29 03:12:08 CST 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (162 candidates): .......... done
Processing candidates (162 candidates): ...... done
Checking integrity... done (1 conflicting)
  - py311-pyopenssl-25.3.0_1,1 conflicts with py311-openssl-25.0.0_1,1 on /usr/local/lib/python3.11/site-packages/OpenSSL/SSL.py
Checking integrity... done (0 conflicting)
The following 85 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
py311-pyopenssl: 25.3.0_1,1

Installed packages to be UPGRADED:
boost-libs: 1.88.0_1 -> 1.89.0_1
ca_root_nss: 3.108 -> 3.117_2
curl: 8.14.1 -> 8.17.0
kea: 2.6.3_1 -> 3.0.2
krb5: 1.21.3_1 -> 1.22.1
liblz4: 1.10.0,1 -> 1.10.0_2,1
libnghttp2: 1.66.0 -> 1.68.0
libpfctl: 0.15 -> 0.17
libucl: 0.9.2_1 -> 0.9.2_2
libunistring: 1.3 -> 1.4.1
libxml2: 2.14.5 -> 2.14.6
lighttpd: 1.4.79 -> 1.4.82
nspr: 4.36 -> 4.38.2
nss: 3.113.1_1 -> 3.118.1
ntp: 4.2.8p18_4 -> 4.2.8p18_5
openssh-portable: 10.0.p1_1,1 -> 10.2.p1_1,1
openssl: 3.0.17,1 -> 3.0.18,1
openvpn: 2.6.14 -> 2.6.16
opnsense: 25.7 -> 25.7.8
opnsense-lang: 25.1.11 -> 25.7.4
opnsense-update: 25.7 -> 25.7.8
pcre2: 10.45_1 -> 10.47
perl5: 5.40.2_2 -> 5.42.0_1
php83: 8.3.23 -> 8.3.28
php83-ctype: 8.3.23 -> 8.3.28
php83-curl: 8.3.23 -> 8.3.28
php83-dom: 8.3.23 -> 8.3.28
php83-filter: 8.3.23 -> 8.3.28
php83-gettext: 8.3.23 -> 8.3.28
php83-ldap: 8.3.23 -> 8.3.28
php83-mbstring: 8.3.23 -> 8.3.28
php83-pcntl: 8.3.23 -> 8.3.28
php83-pdo: 8.3.23 -> 8.3.28
php83-pear: 1.10.13 -> 1.10.16
php83-phpseclib: 3.0.46 -> 3.0.47
php83-session: 8.3.23 -> 8.3.28
php83-simplexml: 8.3.23 -> 8.3.28
php83-sockets: 8.3.23 -> 8.3.28
php83-sqlite3: 8.3.23_1 -> 8.3.28
php83-xml: 8.3.23 -> 8.3.28
php83-zlib: 8.3.23 -> 8.3.28
pkcs11-helper: 1.29.0_3 -> 1.31.0
py311-aioquic: 1.2.0 -> 1.3.0_1
py311-anyio: 4.9.0 -> 4.11.0
py311-attrs: 25.3.0 -> 25.4.0
py311-certifi: 2025.6.15 -> 2025.10.5
py311-charset-normalizer: 3.4.2 -> 3.4.4
py311-cryptography: 44.0.3_2,1 -> 45.0.7_1,1
py311-dnspython: 2.7.0,1 -> 2.8.0_1,1
py311-duckdb: 1.3.1_1 -> 1.3.2
py311-idna: 3.10 -> 3.11
py311-jq: 1.8.0_1 -> 1.10.0
py311-markupsafe: 3.0.2 -> 3.0.3
py311-numexpr: 2.11.0 -> 2.14.1
py311-numpy: 1.26.4_6,1 -> 1.26.4_10,1
py311-pandas: 2.2.3_2,1 -> 2.2.3_3,1
py311-pycparser: 2.22 -> 2.23
py311-pylsqpack: 0.3.22 -> 0.3.23
py311-pyyaml: 6.0.1_1 -> 6.0.3
py311-requests: 2.32.4 -> 2.32.5
py311-sqlite3: 3.11.13_11 -> 3.11.14_11
py311-trio: 0.30.0 -> 0.32.0
py311-truststore: 0.10.1 -> 0.10.4
py311-typing-extensions: 4.14.0 -> 4.15.0
py311-ujson: 5.10.0_1 -> 5.11.0
py311-urllib3: 1.26.20,1 -> 2.5.0,1
py311-vici: 5.9.11_1 -> 6.0.3
python311: 3.11.13 -> 3.11.14
readline: 8.2.13_2 -> 8.3.1
sqlite3: 3.50.2_1,1 -> 3.50.4_2,1
strongswan: 5.9.14 -> 6.0.3_1
sudo: 1.9.17p1 -> 1.9.17p2_2
suricata: 7.0.11_1 -> 8.0.2
syslog-ng: 4.8.2_3 -> 4.10.2
unbound: 1.23.1 -> 1.24.1
wpa_supplicant: 2.11_5 -> 2.11_7
zstd: 1.5.7 -> 1.5.7_1

Installed packages to be REINSTALLED:
cyrus-sasl-2.1.28_5 (provided shared library changed)
cyrus-sasl-gssapi-2.1.28 (provided shared library changed)
dnsmasq-2.91_1,1 (required shared library changed)
glib-2.84.1_3,2 (required shared library changed)
openldap26-client-2.6.10 (required shared library changed)
rrdtool-1.9.0_1 (direct dependency changed: perl5)

Installed packages to be REMOVED:
py311-openssl: 25.0.0_1,1

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be upgraded: 77
Number of packages to be reinstalled: 6

The process will require 8 MiB more space.
[1/88] Upgrading libnghttp2 from 1.66.0 to 1.68.0...
[1/88] Extracting libnghttp2-1.68.0: .......... done
[2/88] Upgrading libpfctl from 0.15 to 0.17...
[2/88] Extracting libpfctl-0.17: ...... done
[3/88] Upgrading libucl from 0.9.2_1 to 0.9.2_2...
[3/88] Extracting libucl-0.9.2_2: .......... done
[4/88] Upgrading libunistring from 1.3 to 1.4.1...
[4/88] Extracting libunistring-1.4.1: .......... done
[5/88] Upgrading nspr from 4.36 to 4.38.2...
[5/88] Extracting nspr-4.38.2: .......... done
[6/88] Upgrading pcre2 from 10.45_1 to 10.47...
[6/88] Extracting pcre2-10.47: .......... done
[7/88] Upgrading perl5 from 5.40.2_2 to 5.42.0_1...
[7/88] Extracting perl5-5.42.0_1:
pkg-static: Fail to set time on /Archive/Tar/Constant.pm:No such file or directory
[7/88] Extracting perl5-5.42.0_1... done
Starting web GUI...done.
***DONE***
#82
German - Deutsch / Re: Grundsatzfrage
Last post by viragomann - November 29, 2025, 10:36:20 AM
Hallo,

ja, da gibt es auch keine großen Änderungen.
Für das Telefon bleibt alles gleich und selbiges gilt für die Geräte im LAN und für das Gast-WLAN.

Die OPNsense bekommt eine WAN IP hinter der FritzBox im .81er Netz. Diese IP ist auf der FB als Exposed Host einzurichten, damit alles (IPSec) auf die OPNsense weitergeleitet wird.

Wenn du IPSec auf OPNsense einrichtest, musst du am WAN auch Firewall-Regeln dafür setzen. Von Haus aus ist da nichts erlaubt.

Grüße
#83
German - Deutsch / Grundsatzfrage
Last post by openjs - November 29, 2025, 10:12:26 AM
Hallo,

ich plane die Umstellung eines Netzwerks von Fritzbox auf "besser" ...

Nachdem ich mir OpnSense für Dummies (speziell für Fritzbox-Umsteiger) durchgelesen habe stellt sich mir die Frage, ob ich irgendetwas übersehe.

Info alle Netzwerke aktuell /24.

Iststand:
FB macht alles inkl. einer IPSec Verbindung zu einem anderen Standort.
                                                                       
                      WAN        IPSec                                 
                       |         Verbindung                             
                       |  +----------                                   
                       |  |                                             
                       |  |                                             
+---------+     +------------+        +-----------+                     
| Telefon |-----|  FritzBox  |--------| Kein WLAN |                     
|         |     |  + IPSec   |        +-----------+     +----------+   
+---------+     |192.168.80.1|--------------------------| GastWLAN |   
                +------------+                          +----------+   
                       |                                               
                       |                                               
                +------------+                                         
                | Internes   |                                         
                | LAN        |                                         
                |192.168.80.x|                                         
                +------------+                                         
                                                                       
Es ist kein Gerät im WLAN, das wird hier auch nicht gebraucht. Es sind alle Geräte im "normalen" Netz hinter der Fritzbox.

Wunschkonzert, es kommt eine sinnvolle Firewall rein.                                                                       
FB macht weiter Telefon und GastWLAN, sonst nix. Das Netzwerk der FB wandert von .80 auf .81
Die Firewall routet zwischen dem FB Netzwerk (das leer bleibt, nur FB und Firewall), hier wird kein Gerät reinkommen.
Die Firewall übernimmt auch die IPSec Verbindung.
                                                                       
                       WAN        IPSec                                 
                        |         Verbindung                           
                        |           |                                   
                        |           |                                   
                        |           |                                   
 +---------+     +------------+     |  +-----------+                   
 | Telefon |-----| FritzBox   |-----|--| Kein WLAN |                   
 |         |     | kein IPSec |     |  +-----------+     +----------+   
 +---------+     |192.168.81.1|--------------------------| GastWLAN |   
                 +------------+     |                    +----------+   
                        |           |                                   
           ZwischenLAN  |           |                                   
                        |           |                                   
                 +------------+     |                                   
                 |192.168.81.2|                                         
                 | OpenSense  |-----+                                   
                 |  + IPSec   |                                         
                 |192.168.80.1|                                         
                 +------------+                                         
                        |                                               
                        |                                               
                 +------------+                                         
                 | Internes   |                                         
                 | LAN        |                                         
                 |192.168.80.x|                                         
                 +------------+       
                                 

Aus den Beschreibungen aus dem für Dummies habe ich entnommen, dass es Probleme geben kann auf das WLAN und ZwischenLAN zuzugreifen. Ist aber bei mir kein Anwendungsfall. Im ZwischenLAN wird es keine Geräte geben, ebenso ist kein Zugriff auf das WLAN notwendig und auch nicht erwünscht.
GastWLAN macht nach wie vor sein eigenes Ding. Hier ist einfach Internet vorhanden.

Aus meiner Sicht sollte das so funktionieren oder habe ich etwas übersehen?

Danke

#84
25.7, 25.10 Series / Crowdsec Installation
Last post by nicholaswkc - November 29, 2025, 10:06:25 AM
Dear all,
I did a fresh installation of my opnsense but found out that crowdsec was not offer as plugins. How to install crowdsec?
#85
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by meyergru - November 29, 2025, 09:43:57 AM
That is a bit tricky: AFAIR, you cannot redirect on the loopback address on IPv6 because of RFC4921 section 2.5.3 saying that the responses should not be routed, so "::1" is out of the question (as are link-local addresses for obvious reasons). For IPv4, this works with a redirection to 127.0.0.1.

What I do is something like this:

You cannot view this attachment.

The redirect target IP is an alias, which is a dynamic IPv6 alias on any IPv6-enabled interface with the EUI-64 of that interface (which is the same as the EUI-64 of the link-local IPv6).

Also note that I have an exception for one host alias (BLOB_MAC), which is identified by its MAC, because I cannot be sure if that client uses IPv6 privacy extensions. I need this exception because that client uses ACME with DNS-01 verification which Unbound cannot forward.
#86
Tutorials and FAQs / Re: ndp-proxy-go: Proxy ISP pr...
Last post by Courier1027 - November 29, 2025, 09:10:16 AM
QuoteIf you receive a DNS server from your ISP, but want the router to be the sole DNS server, use a Port Forward to force traffic destined to port 53 to the local running Unbound server instead.
I am very new to IPv6 and this is my hobby project so please be gentle. I have already implemented this in IPv4 with port forward to 127.0.0.1. How do I identify the IPv6 address of the local running Unbound server and implement for IPv6? My IPv6 stack is working well with this plugin with LAN configured as  link-local so thanks for this.
#88
25.7, 25.10 Series / Re: Help Needed: Branding & UI...
Last post by franco - November 29, 2025, 09:00:19 AM
We do offer branding as a service.  :)


Cheers,
Franco
#89
25.7, 25.10 Series / Re: Help Needed: Branding & UI...
Last post by meyergru - November 29, 2025, 08:38:56 AM
Wow. Just wow.

Sounds a little like "I am too dense to actually modify the code by myself to start a business on your hard work - could you please do that for me or at least help me do it?"

Good luck with that.
#90
General Discussion / Re: new setup cannot reach lin...
Last post by meyergru - November 29, 2025, 08:31:22 AM
There are some virtualisation settings in most BIOSes, often called SVM or AMD-V (IOMMU comes to mind, but your quote about the board sucking makes me think the latter is not available). Also, I always use "host" CPU emulation type in Proxmox, where the CPU is not emulated, but passed thru to the VM.