Recent posts

#81
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by tdpolo26 - December 27, 2025, 07:31:59 AM
Quote from: greY on December 27, 2025, 05:52:39 AMHi
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.

yeah i had that same idea today.... its like when i switch the assignment something remains em0
#82
25.7, 25.10 Series / Re: Suricata IPS + Promiscuous...
Last post by greY - December 27, 2025, 06:03:47 AM
ended up, having all WAN (1G) ports at queues=1 and all LAN (10G) ports at queues=2. I guess LAN ports could be set to 4 or 8, I just currently have no time for deeper tests and performance seems to be the same as before.

It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.
#83
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by greY - December 27, 2025, 05:52:39 AM
Hi
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
#84
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 04:45:50 AM
Last update!

Everything is working, I have enabled the firewall rules back instead of using public DNS.

OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254

That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.

So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.

Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again.  The fix is in this update, but impossible to install without upgrading
the package manager first.  We hope this will only be a minor inconvenience
during the process.
#85
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 04:15:13 AM
Something is terribly wrong with the latest updates, the one prior to 25.7.10 and 25.7.10

After fixing the drama above as explained, uPnP wasn't starting and all my DNS setup was broken (Pi-Hole + Unbound), no matter what I did, nothing was working, I had to use public DNS instead.

I checked the update again and there were another 85 packages to install, 25.7.10 update, during the update process it failed with a danger message and 404 when trying to access the UI.

Reboot and attempt to update via console, uPnP no longer fails and works, also, my DNS setup is working again.

I have no idea wtf happened, I did the usual, check for update and apply, nothing else.
If you are reading this and haven't updated it yet to 25.7.10, don't.

Something is broken!
#86
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by dmurphy - December 27, 2025, 04:00:17 AM
Just following up that I still see a memory leak in dnsmasq even after a reboot and an update to 25.7.10.

The cronjob which periodically restarts the process is keeping it from being an issue, but I still am trying to track down the leak.

Unfortunately it appears our base FreeBSD doesn't have proper dtrace support; it's mostly broken.

I also tried digging in with gdb but hit a deadend there too; can't really dig into jemalloc that way.

Anyway, looking forward to trying dnsmasq $version++ where we know there are memory leak fixes.  No urgency since the crontab process restart is doing its thing -- seems to be a slow leak.

For fun, here's a procstat -v.  You can see two memory regions that continue to grow.

[root@dmurphy-gw /usr/local/sbin]# procstat -v 21656
  PID              START                END PRT  RES PRES REF SHD FLAG  TP PATH
21656           0x200000           0x216000 r--   22  102   4   1 CN--- vn /usr/local/sbin/dnsmasq
21656           0x216000           0x264000 r-x   78  102   4   1 CN--- vn /usr/local/sbin/dnsmasq
21656           0x264000           0x265000 r--    1  102   4   1 CN--- vn /usr/local/sbin/dnsmasq
21656           0x265000           0x266000 r--    1    1   1   0 CN--- sw
21656           0x266000           0x268000 rw-    2    0   1   0 C---- vn /usr/local/sbin/dnsmasq
21656           0x268000           0x269000 rw-    1    1   1   0 C---- sw
21656        0x800e5b000        0x820e3b000 ---    0    0   0   0 ----- gd
21656        0x820e3b000        0x820e5b000 rw-    5    5   1   0 C--D- sw
21656        0x8219d8000        0x8219d9000 r-x    1    1  99   0 ----- ph
21656        0x8229c4000        0x8229ea000 r--   31   60  20  10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656        0x8229ea000        0x822a16000 r-x   28   60  20  10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656        0x822a16000        0x822a19000 r--    3    0   1   0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656        0x822a19000        0x822a1a000 rw-    1    0   1   0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656        0x823729000        0x82375b000 r--   17   39   4   2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656        0x82375b000        0x823771000 r-x   22   39   4   2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656        0x823771000        0x823772000 r--    1    0   1   0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656        0x823772000        0x823774000 rw-    2    0   1   0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656        0x8245aa000        0x8245cc000 r--   24   66   4   2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656        0x8245cc000        0x824626000 r-x   42   66   4   2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656        0x824626000        0x824627000 r--    1    0   1   0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656        0x824627000        0x824629000 rw-    2    0   1   0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656        0x824ede000        0x824f5d000 r--  121  451 308 114 CN--- vn /lib/libc.so.7
21656        0x824f5d000        0x825099000 r-x  316  451 308 114 CN--- vn /lib/libc.so.7
21656        0x825099000        0x8250a2000 r--    9    0   1   0 CN--- vn /lib/libc.so.7
21656        0x8250a2000        0x8250a9000 rw-    7    0   1   0 C---- vn /lib/libc.so.7
21656        0x8250a9000        0x8251ca000 rw-   19   19   1   0 C---- sw
21656     0x1259f7200000     0x1259f7221000 rw-   28   28   1   0 C---- sw
21656     0x1259f7400000     0x1259f7e00000 rw-  840  840   1   0 C---- sw
21656     0x1259f7e00000     0x125a00500000 rw- 31625 31625   1   0 ----- sw
21656     0x125a00600000     0x125a0a200000 rw- 29677 29677   1   0 ----- sw

21656     0x19660f171000     0x19660f177000 r--    6   30 251  57 CN--- vn /libexec/ld-elf.so.1
21656     0x19660f177000     0x19660f18e000 r-x   23   30 251  57 CN--- vn /libexec/ld-elf.so.1
21656     0x19660f18e000     0x19660f18f000 r--    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
21656     0x19660f18f000     0x19660f190000 r--    1    1   1   0 CN--- sw
21656     0x19660f190000     0x19660f192000 rw-    2    2   1   0 C---- sw
21656     0x7fffffffe000     0x7ffffffff000 ---    0    0   0   0 ----- gd

#87
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 03:18:31 AM
THIS CANNOT BE RIGHT!!!!

Download this since I am runnint 25.7: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/All/openssl-3.0.18,1.pkg

Extract:

libcrypto.so.12
libssl.so.12

Copy from USB to both location since idk which is which:

/usr/lib/
/lib/

The system is booting and I can log in, now I need to check if it is gonna connect to the internet.
#88
General Discussion / Re: Struggles scripting with t...
Last post by ASteve - December 27, 2025, 03:03:25 AM
Quote from: allddd on December 27, 2025, 01:24:14 AM
Quote from: ASteve on December 27, 2025, 12:16:30 AMand triggers an action if either of the upstream gateways is down.

Not sure about the API, but have you considered using Monit? It's designed to do exactly that.
It can notify you, execute a script, or basically do anything else you want it to.

https://docs.opnsense.org/manual/monit.html

Thanks for recommending Monit... it's related to what I'm trying to do.  I have Monit set up... but I'm trying to achieve something subtly different.  Monit can't do what I want because I want the decision about presence/absence of a fault-condition to be made by a host on my LAN - not by the host running OpnSense.

With Monit, while it could run a script (on the OpnSense router) when relevant fault conditions arise... I want a script to periodically verify that the gateway is operating properly.  I don't want my OpnSense router to push notifications of faults... I want a script that runs on a separate host (on my LAN) to poll to check the opposite - i.e. that both uplinks are 'OK'.  I make a distinction between the approaches as they have different failure modes. If some aspect of my networks (LAN/WAN/VPN etc.) is down, this could plausibly block delivery of a message about failure (giving the false impression that everything is OK).  Conversely, if I take a polling approach - dispatching requests (perhaps once a minute) from a host I'm actively using... then any failure to verify things are "OK" (whatever the reason for that failure) will permit reliable notification about there being some kind of problem.  Another obvious distinction between the approaches:  if power to my OpnSense router fails (unplugged/switched off at mains) then the Monit service on it will not be dispatching any notifications.  Conversely, if a service running on my desktop (which I'm actively using) fails to successfully poll the router, and verify things are OK, then it will be able to actively notify me - even if the LAN and/or WAN are not working properly; even if email and/or DNS are not working properly.





#89
General Discussion / Latest OPNsense: libcrypto.so....
Last post by hakuna - December 27, 2025, 02:53:00 AM
I have updated my system via terminal which only installed 4 packages I cannot remember but were small like os-upnp and 3 others.

If I run:

pkg info -a -O '%t %n' | sort -rn
I get these 4 packages at the top which I believe they were the ones installed.

png-1.6.52
pkg-2.3.1_1
os-upnp-1.8
os-lcdprod-sdeclcd-1.1_1

The UI stopped working, it was not longer responding, interfaces not showing, etc. Reboot.
After 1min, I didn't hear the beep sound and the terminal is stuck at:

Shared object "libcrypto.so.12" not found, required by php
Then I tried a hack not knowing much of it just to get the system started:

echo "libcrypto.so.12 libcrypto.so.30" >> /etc/libmap.conf
echo "libssl.so.12 libssl.so.30" >> /etc/libmap.conf

I gets other errors because of course, the versions are incompatible.

My system is running openssl-3.0.16 so I have no idea why it is requesting libcrypto.so.12 which no longer belongs to this system version.

So anyway, I have no idea what this update did, 4 packages, now it longer boots up and I have no much idea of what to do other than a clean install.
I am avoiding a clean install because I have soooooo many firewall rules and I cannot just import the backup, I need to install wireguard, os-upnp and others, otherwise, the importing the backup ends up a complete mess.
I also need to manually assign ports, it is a job and half.

I appreciate any help

#90
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by OPNenthu - December 27, 2025, 02:45:27 AM
Quote from: muchacha_grande on December 26, 2025, 11:46:31 PMThe only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.

I'm not sure which approach is better (appreciate advice from others), but I have been adding Host entries in Dnsmasq even for statically configured ones.  They don't show up in Leases, but they do get added to DNS and I presume also marks that IP as reserved from the pool.

I make sure all the static IPs I use fall within the Dnsmasq range, which is a difference from ISC.  This can obviously leave unused IPs if your Dnsmasq pool is, for example, .100 to .254.  Then the entire range .2 to .99 is wasted.

I can think of a couple solutions:

1) Define the Dnsmasq range as .2 to .254 (.1 being for the gateway in this example)
2) Define two ranges:  192.168.1.2 - 192.168.1.99 (static pool) and 192.168.1.100 - 192.168.1.254 (DHCP pool) for the same domain

Question for @Monviech/@Maurice or others - is #2 viable and a good idea?  I haven't tested.