Recent posts

#81
25.7, 25.10 Series / Let's Encrypt IP address certi...
Last post by adv - January 26, 2026, 06:15:37 PM
I want to replace the self-signed certificate for the web GUI with a Let's Encrypt certificate for my IP address.  I do not have a domain name and access using the IP address directly.  I see that Let's Encrypt just started issuing certificates for IP addresses so I should be good to go, right?  Can't get it to work.

I followed instructions found in many tutorials on the web for setting up an LE cert with FQDN but entered the IPv4 instead of a FDQN.  A Google search brought me this set of AI-generated instructions specifically for doing it with an IP address instead of FQDN, all of which I followed:

AI Overview

To set up OPNsense with a Let's Encrypt certificate for a public IP address, you must use the OPNsense ACME client plugin and the HTTP-01 or TLS-ALPN-01 challenge methods, as DNS challenges are not supported for IP addresses. The certificate will be valid for approximately six days and must be renewed automatically.

Prerequisites
A static, public IP address that your OPNsense firewall can serve traffic on.
The os-acme-client plugin installed on your OPNsense system (go to System > Firmware > Plugins and install it if it is not already present).
Ports 80 or 443 must be publicly accessible and forward traffic to the OPNsense instance for the duration of the validation process.

Step-by-Step Guide
1. Configure the ACME Account:
1. Navigate to Services > ACME Client > Accounts.
2. Click the + button to add a new account.
3. Enter a Descriptive name.
4. Select Let's Encrypt Production ACME v02 as the ACME CA.
5. Enter your email address for important notifications (like renewal failures).
6. Check the E-mail box and click Register new account.
7. Click Save.

2. Create a Certificate:
1. Go to Services > ACME Client > Certificates.
2. Click the + button.
3. Enter a Descriptive name.
4. In the Common Name field, enter your public IP address.
5. Select the ACME Account you created in the previous step.
6. Click Save.

3. Configure the Challenge Type:
1. Go to the Services > ACME Client > Settings page and then the Challenge Types tab.
2. Click the + button.
3. Select the Challenge Type (either HTTP-01 or TLS-ALPN-01). The HTTP-01 method is generally simpler.
4. Select the correct Interface where the public IP resides (e.g., WAN).
5. Click Save.

4. Issue the Certificate:
1. Go back to Services > ACME Client > Certificates.
2. Click the "Issue/Renew All Certificates" button (or the issue button specific to your certificate).
3. Wait a few seconds and refresh the page. The "Issue Date" and "Last ACME Status" fields should show as "OK".

5. Automate Renewal:
1. Let's Encrypt IP certificates are short-lived (around 6 days), so automation is essential. The OPNsense ACME client handles this automatically, but you should ensure the service is enabled and running under Services > ACME Client > Settings.
2. You may also create an automation to restart the web GUI (under the Automations tab in ACME Client settings) and link it to the certificate to ensure the new certificate is applied automatically after renewal.

6. Assign the Certificate to the Web GUI (Optional):
1. Navigate to System > Settings > Administration.
2. In the Web GUI section, select your new Let's Encrypt certificate from the SSL Certificate dropdown menu.
3. Click Save. Your browser will now use the valid certificate when you access the OPNsense web interface via its public IP address.


I DO have a firewall rule on interface WAN allowing ports 80 and 443 to "This Firewall".  I do NOT have the web GUI listening on 443.

Has anyone been able to make IP address certificate work?  Anyone got any suggestions?
#82
Q-Feeds (Threat intelligence) / Re: Testing firewall rules wit...
Last post by Q-Feeds - January 26, 2026, 06:10:59 PM
Allright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
EDIT: Code is available on GitHub for review if you want to dig into it further: https://github.com/opnsense/plugins/tree/master/security/q-feeds-connector
#83
25.7, 25.10 Series / Re: ISC to Dnsmasq breaks some...
Last post by allenlook - January 26, 2026, 06:05:52 PM
Anybody notice my mistake yet?  LOL.
#84
25.7, 25.10 Series / Re: Need clarification before ...
Last post by franco - January 26, 2026, 05:54:26 PM
It will always auto-install when doing the upgrade 25.7 -> 26.1, yes.


Cheers,
Franco
#85
25.7, 25.10 Series / Re: Need clarification before ...
Last post by connervt - January 26, 2026, 05:37:55 PM
Quote from: franco on January 26, 2026, 10:21:17 AMos-isc-dhcp. It will auto-install on the actual upgrade to 26.1 when it's out.

Quick follow up question, for clarification: When updating to 26.1, does the os-isc-dhcp plugin auto-install also automatically configure from one's 25.x.x ISC settings?
#86
25.1, 25.4 Series / Re: Disk space issue
Last post by gmartin - January 26, 2026, 05:34:11 PM
Thanks, all. I had read the aforementioned thread and had no luck - so I posted. And now I understand why.  I'm sure there are many repeats here, so I get it.

I'll walk through @patrick's instructions and follow-up when I'm done.

\\Greg
#87
26.1 Series / Re: MiniUPNPD
Last post by franco - January 26, 2026, 05:26:57 PM
First time I hear this. Kernel ABI and upstream software didn't change from 25.7.x so not sure what we're looking at here.



Cheers,
Franco
#88
Announcements / Re: OPNsense 26.1-RC2 released
Last post by franco - January 26, 2026, 05:24:17 PM
A hotfix release was issued as 26.1.r2_2:

o interfaces: if no idassoc6/track6 LAN is used also emit a PD request like before
o firewall: make previously associated DNAT rules editable
#89
26.1 Series / MiniUPNPD
Last post by fotring - January 26, 2026, 05:16:48 PM
Hi,
miniupnpd seems to be broken in 26.1:

miniupnpd 37136 - [meta sequenceId="85"] pfctl_get_rules_info: Invalid argument

Its spamming the routing log.

//Daniel
#90
Hardware and Performance / SFP+ to RJ45 slow WAN speeds?
Last post by viper359 - January 26, 2026, 05:08:55 PM
Looking for some advice from you IT hardware professionals and labbers
I am having issues with WAN speeds after a few weeks, it slows to under 1Gbps
ISP Modem built in speed test shows full allocated speeds of 8Gbps up and down
Yes, I have rebooted modem anyways, just to be sure
Zero info in logs. Speed test from CLI also confirms less than 1Gbps speeds
All links remain showing at 10gbe
If appliance is powered down for 5 minutes or so, full PPPOE speeds return
Sometimes a few reboots in a row will also fix the issue
so, I switched back to SOPHOS OS for the Sophos appliance, thinking maybe a FREEBSD driver issue?
However, its now happened running this OS, which is Linux based.
Complete network info below my post

I am thinking maybe the SFP+ to RJ45 module could be the issue, but, would that make sense? Do these things just sorta kinda work, but not fully work? The SFP module is hot, but I have been told that's normal for these types of SFPs.

The only other thing I can think of, is the SFP port on the appliance itself is the issue, but, if it was, I would assume link speeds would change or at least something showing up in logs, of at least its maker, SOPHOS. Nothing ever seen.

INFO BELOW
Appliance: SOPHOS XG450
ISP: Bell Canada
Speed profile: 8Gbps symmetrical
Connected to 10Gbps ISP modem WAN port via RJ45 to SFP+ converter in top SFP+ slot of Sophos appliance
LAN connected by SFP+ to RJ45 module to 10Gbps Unifi switch
10Gbe switch to 1st floor 10gbe dumb switch, connected at 10Gbps to a Asus BT10 wifi system
2nd floor wired from 1st floor 10gbe ASUS BT10 WIFI.
Full 10gbe speeds throughout the LAN from any 10gbe capable device

Any thoughts would be greatly appreciated. i would like to switch back to OPNSense, but I gotta figure this out