"Recent posts
#81
General Discussion / Re: Rule confusion between sep...
Last post by brigmaticlaw - November 25, 2025, 06:31:42 PMHey thank you for the reply and apologies for the delay in my response. I have now gotten this figured out. I have had the hardest time shifting my mindset from audio signal flow (after 15 years as a career) to network traffic flow. My biggest issue was looking at things from the perspective of the firewall as opposed to from the perspective of the interface I was working with. All is working as intended now!
#82
General Discussion / Re: OPNsense DNS over TLS forw...
Last post by cookiemonster - November 25, 2025, 06:12:20 PMThey should probably refer back to here. It might be their Unbound but is the OPN implementation. Please note I am not saying the implementation is wrong but we should be able to assist.
You've stated that the dns queries are going unencrypted. May I ask how you verified this?
If I enable DoT on Unbound OPN's settings, by looking at a packet capture, the traffic is encrypted.
I use DoT permanently but in a different way, however the verification of it working is the same.
You've stated that the dns queries are going unencrypted. May I ask how you verified this?
If I enable DoT on Unbound OPN's settings, by looking at a packet capture, the traffic is encrypted.
I use DoT permanently but in a different way, however the verification of it working is the same.
#83
General Discussion / Re: Multi-wan with PPPoE not w...
Last post by Monviech (Cedrik) - November 25, 2025, 06:06:52 PMI do not have much knowledge about this, I just wanted to reference these tickets that say its not possible for some reason.
What I assume is that dhclient installs interface routes like this
default via 10.0.0.1 dev pppoe0
default via 10.0.0.1 dev pppoe1
etc...
And these overwrite each other so last pppoe connection that comes up wins or something? I dunno though its all assumptions from my end.
What I assume is that dhclient installs interface routes like this
default via 10.0.0.1 dev pppoe0
default via 10.0.0.1 dev pppoe1
etc...
And these overwrite each other so last pppoe connection that comes up wins or something? I dunno though its all assumptions from my end.
#84
General Discussion / Re: FIB/VRF support in OPNsens...
Last post by pfry - November 25, 2025, 05:43:59 PMForgot to mention: frr. Should support fibs; I haven't used it.
#85
General Discussion / Re: Multi-wan with PPPoE not w...
Last post by Maurice - November 25, 2025, 05:34:18 PMPPP interfaces don't really need a gateway IP address - it's point-to-point, there's no ARP involved.
@Monviech Could we work around this by assigning random (or static) dummy IP addresses to PPP gateways?
@charles As a workaround, maybe creating static gateways with random IP addresses works?
Cheers
Maurice
@Monviech Could we work around this by assigning random (or static) dummy IP addresses to PPP gateways?
@charles As a workaround, maybe creating static gateways with random IP addresses works?
Cheers
Maurice
#86
General Discussion / Re: OPNsense DNS over TLS forw...
Last post by InvalidHandle - November 25, 2025, 05:29:21 PMThe Github report is here: github.com/NLnetLabs/unbound/issues/1379
#87
25.7, 25.10 Series / Re: Using Adguard Home and DNS...
Last post by JMini - November 25, 2025, 05:26:16 PMI don't know what could be causing that DHCP non-renew issue. There are a lot of folks here way more experienced with this than I am.
Maybe start a new thread.
Maybe start a new thread.
#88
German - Deutsch / Re: Wireguard VPN Verbindung a...
Last post by meyergru - November 25, 2025, 05:13:59 PMNein, Du brauchst zusätzlich für die Regeln, um den Wireguard-Port zu erreichen auch noch Regeln für den Traffic, der den Tunnel verlässt.
Das ist Schritt 5 hier: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Das ist Schritt 5 hier: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
#89
General Discussion / FIB/VRF support in OPNsense
Last post by pfry - November 25, 2025, 04:34:27 PMThere have been a few discussions of this in the fora; I didn't see any relevant github requests.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
Interfaces:
Firewall:
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
Would anyone be up for FIB/VRF support?
It could be implemented pretty simply. As with many OPNsense features, you could use VRFs/FIBs to really screw yourself up. But I think the feature would be quite usable. The beauty is that default behavior would not change in any meaningful sense, and it could be tested to a considerable extent without (GUI) implementation.
Details:
Possible kernel compile option: "options ROUTETABLES=n". Apparently the standard kernel can be configured (using "net.fibs", as below) for at least n=2. Appropriate setting? I imagine it would depend on impact, if any.
System:
- Settings:
- "net.fibs" in loader.conf. Not sure where to put this setting (General -> Networking, as "FIBs" or "VRFs"?). It would be used as an interlock for most of the settings below. Interlock behavior options: vanish/gray/do nothing/error on setting; zero/ignore fib settings when "net.fibs" is unconfigured.
- "net.add_addr_allfibs" - I would make this a tuneable, default 0. I'm not sure if this setting is still available, or if it will be in future versions.
- Gateways:
- Configuration:
- "fib" setting for the gateway.
- "fib" column (not selected by default) for the display. I would display data from all fibs, using "setfib n [command]", as n=0 should always be valid.
- Routes:
- Configuration:
- "fib" setting for the route.
- "fib" column for the display, as above.
- Status:
- "fib" column for the display, as above.
Interfaces:
- [Interface]:
- "fib": integer
Firewall:
- Automation:
- Filter:
- "fib" column for the display, as above. I would include this as the current display has lots of options.
- Rules:
- [Interface]:
- Interlock: for "Action" = Pass, "Direction" = In: "fib" (pf "rtable") setting: integer.
I've likely missed (quite) a few... e.g. "fib" for ping, trace.
Possible caveat: "route" may be fussy with fib > 0 - it might require an "up" interface in the fib in order to add routes. I'm not sure if this is a non-default behavior, as I haven't tested it.
#90
German - Deutsch / Re: Wireguard VPN Verbindung a...
Last post by BeTZe313 - November 25, 2025, 04:32:30 PMIch habe in der OPNsense bei WAN, LAN und WG1 habe ich den Port 51820 für IN alles freigegeben.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
Leider hat das nicht geholfen.
Ich habe jetzt den Client auf meinem Handy installiert. Da leider das gleiche. Die Verbindung wird aufgebaut, ich kann im VPN Netz aber nichts aufrufen.
