"Recent posts
#81
25.7, 25.10 Series / Re: OPNsense dies every 24th h...
Last post by franco - December 04, 2025, 10:17:53 PMYes, I already told you I have my doubts about reliability in FreeBSD with both the in-tree and the vendor driver.
Cheers,
Franco
Cheers,
Franco
#82
25.7, 25.10 Series / Re: Changing NIC caused me a w...
Last post by franco - December 04, 2025, 10:16:06 PMQuote from: jonm on December 04, 2025, 09:53:06 PMHow should I have done this properly?
For an inline replacement: Make a backup of your latest config. Make sure your new NICs work and are numbered correctly (perhaps using a live media boot to inspect this). Boot the old system again (with the old NICs plugged again). Change /conf/config.xml interface instances like suggested here already. Shut down (not reboot). Switch NICs if needed. Boot up.
Cheers,
Franco
#83
25.7, 25.10 Series / Re: OPNsense dies every 24th h...
Last post by TomasL - December 04, 2025, 10:10:42 PMWell, other NICS is out, there is not enough space and only one slot on the MB.
Since it worked W/O any problem with CENTOS, well, it has to be an OPNsense issue and not an HW-isue.
Since it worked W/O any problem with CENTOS, well, it has to be an OPNsense issue and not an HW-isue.
#84
Virtual private networks / Configuration Wireguard Tunnel...
Last post by eXcoRe - December 04, 2025, 10:10:17 PMDear OPNsense community,
first of all, I want to say that I really enjoy using OPNsense. It is a great project that supports many extensions and allows configuring a wide range of scenarios. I am just an enthusiastic user who is here to learn more and gain a better overall understanding. Any support is most welcome — and please be kind, as I do not have 10+ years of networking experience :)
I have already set up OPNsense with working WireGuard connections. The goal is to configure the WireGuard tunnels using Proton DNS without any DNS leakage, while also running Unbound DNS on the firewall.
Only the WireGuard clients (e.g., 192.168.1.90–192.168.1.91) should use the WireGuard tunnel including its DNS, and all other internal clients (e.g., 192.168.1.100–192.168.1.101) should use the Unbound DNS service — in other words, a split DNS configuration.
The OPNsense firewall is configured with Unbound DNS over TLS (port 853), and clients use, for example, Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9).
Additionally, my configuration currently has a working Squid web proxy, which some VLAN clients and some LAN clients use to access the internet.
For testing purposes, I also deactivated it on the LAN interface, but it still did not work as expected.
Current situation:
The WireGuard clients are routed through the tunnel and receive the Proton IPs. However, during DNS testing, Proton DNS is not displayed — instead, the Unbound DNS appears. Testing was done using https://www.dnsleaktest.com
Traceroute result:
1 <1 ms <1 ms <1 ms OPNsense.localdomain [192.168.1.1]
2 18 ms 15 ms 15 ms 10.2.0.1 --> Proton WG tunnel active and working; my IP address is showing from the VPN
3 16 ms 16 ms 16 ms 205.xxx.xx.xxx --> Proton Server
4 16 ms 16 ms 16 ms vl221.ams-eq6-core-2.cdn77.com [79.127.194.82] --> this is what I want to avoid for WG clients
5 17 ms 17 ms 17 ms 142.250.163.178
6 17 ms 16 ms 16 ms 74.125.243.81
7 15 ms 16 ms 15 ms 209.85.240.100
8 17 ms 16 ms 17 ms 108.170.238.127
9 22 ms 22 ms 23 ms 192.178.75.29
10 24 ms 26 ms 25 ms 209.85.252.76
11 21 ms 21 ms 21 ms 108.170.238.3
12 21 ms 21 ms 21 ms 142.250.214.195
13 22 ms 22 ms 22 ms fra24s07-in-f3.1e100.net [142.250.186.131]
Unbound DNS is maybe "overwriting" or my WG clients are just passing around tunnel, not sure...
But I am quite sure that some firewall rules — and especially NAT — may not be configured correctly. I have not yet been able to identify what exactly is wrong.
Before overloading this post with to many pictures, I have created an extract of my current set up, see below picture:
You cannot view this attachment.
If you need anything more specific to identify this issue, just let me know.
I guess my problem should be clear, so looking forward to your valueable feedbacks.
Thanks
first of all, I want to say that I really enjoy using OPNsense. It is a great project that supports many extensions and allows configuring a wide range of scenarios. I am just an enthusiastic user who is here to learn more and gain a better overall understanding. Any support is most welcome — and please be kind, as I do not have 10+ years of networking experience :)
I have already set up OPNsense with working WireGuard connections. The goal is to configure the WireGuard tunnels using Proton DNS without any DNS leakage, while also running Unbound DNS on the firewall.
Only the WireGuard clients (e.g., 192.168.1.90–192.168.1.91) should use the WireGuard tunnel including its DNS, and all other internal clients (e.g., 192.168.1.100–192.168.1.101) should use the Unbound DNS service — in other words, a split DNS configuration.
The OPNsense firewall is configured with Unbound DNS over TLS (port 853), and clients use, for example, Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9).
Additionally, my configuration currently has a working Squid web proxy, which some VLAN clients and some LAN clients use to access the internet.
For testing purposes, I also deactivated it on the LAN interface, but it still did not work as expected.
Current situation:
The WireGuard clients are routed through the tunnel and receive the Proton IPs. However, during DNS testing, Proton DNS is not displayed — instead, the Unbound DNS appears. Testing was done using https://www.dnsleaktest.com
Traceroute result:
1 <1 ms <1 ms <1 ms OPNsense.localdomain [192.168.1.1]
2 18 ms 15 ms 15 ms 10.2.0.1 --> Proton WG tunnel active and working; my IP address is showing from the VPN
3 16 ms 16 ms 16 ms 205.xxx.xx.xxx --> Proton Server
4 16 ms 16 ms 16 ms vl221.ams-eq6-core-2.cdn77.com [79.127.194.82] --> this is what I want to avoid for WG clients
5 17 ms 17 ms 17 ms 142.250.163.178
6 17 ms 16 ms 16 ms 74.125.243.81
7 15 ms 16 ms 15 ms 209.85.240.100
8 17 ms 16 ms 17 ms 108.170.238.127
9 22 ms 22 ms 23 ms 192.178.75.29
10 24 ms 26 ms 25 ms 209.85.252.76
11 21 ms 21 ms 21 ms 108.170.238.3
12 21 ms 21 ms 21 ms 142.250.214.195
13 22 ms 22 ms 22 ms fra24s07-in-f3.1e100.net [142.250.186.131]
Unbound DNS is maybe "overwriting" or my WG clients are just passing around tunnel, not sure...
But I am quite sure that some firewall rules — and especially NAT — may not be configured correctly. I have not yet been able to identify what exactly is wrong.
Before overloading this post with to many pictures, I have created an extract of my current set up, see below picture:
You cannot view this attachment.
If you need anything more specific to identify this issue, just let me know.
I guess my problem should be clear, so looking forward to your valueable feedbacks.
Thanks
#85
German - Deutsch / Re: Routing Frage
Last post by Patrick M. Hausen - December 04, 2025, 10:02:51 PMNochmal eine kurze Zusammenfassung:
- der Switch routet zwischen N VLANs
- OPNsense darf dann nur eine Verbindung zu einem davon haben
- für alle anderen bekommt OPNsense eine statische Route mit der IP-Adresse des Switches in dem einen VLAN als Gateway
Alles andere kann man irgendwie hinbiegen aber es wird schmerzhaft und ist eben genau nicht wie Routing gedacht ist.
Warum du das willst, musst du wissen.
Außerdem musst du NAT zum Internet dann manuell oder hybrid konfigurieren, weil OPNsense das automatisch nur für direkt verbundene Netze tut und nicht für die ganzen VLANs hinter dem Switch.
Gruß
Patrick
- der Switch routet zwischen N VLANs
- OPNsense darf dann nur eine Verbindung zu einem davon haben
- für alle anderen bekommt OPNsense eine statische Route mit der IP-Adresse des Switches in dem einen VLAN als Gateway
Alles andere kann man irgendwie hinbiegen aber es wird schmerzhaft und ist eben genau nicht wie Routing gedacht ist.
Warum du das willst, musst du wissen.
Außerdem musst du NAT zum Internet dann manuell oder hybrid konfigurieren, weil OPNsense das automatisch nur für direkt verbundene Netze tut und nicht für die ganzen VLANs hinter dem Switch.
Gruß
Patrick
#86
25.7, 25.10 Series / Lost web mgmt. on 25.7.9 updat...
Last post by OPNenthu - December 04, 2025, 10:00:20 PMUpdate from 25.7.8 -> 25.7.9 went without error and I was not prompted for a reboot, but the web UI became unresponsive afterward. Internet connectivity was not affected.
A reboot command from serial console brought everything back. Looks stable now :)
A reboot command from serial console brought everything back. Looks stable now :)
#87
25.7, 25.10 Series / Re: Changing NIC caused me a w...
Last post by Patrick M. Hausen - December 04, 2025, 09:59:32 PMWhat I do in such cases is "hack it" on the command line - "ifconfig <interface> inet 192.168.1.1/24" followed by "pfctl -d" (with all untrusted networks disconnected). Then connect to the UI and step by step fix things. If necessary repeat that "pfctl -d" (disable all firewalling) on the console until you get to a stable configuration.
#88
Hardware and Performance / Re: N150 / N355 good fits?
Last post by dirtyfreebooter - December 04, 2025, 09:54:18 PMQuote from: OPNenthu on December 04, 2025, 09:13:09 PMHow do you feel about their i3/i5/i7 line (VP66xx)? They are not fanless and of course cost more, but idle TDP is 12W (100W max) per the product sheets. Also dual channel, though not sure if that makes a big difference.
Would you still take the VP2440 over a VP6650 if price were the same?
yea, i didn't want the fan. idle maybe similar, but zenarmor basically keeps 1 cpu at 3-5% on idle, so the cpu is never in that lowest idle state with zenarmor. i am sure the vp6xxx series is good too.
for me, zenarmor annoying AF. they keep removing features saying customers are abusing the free/home tiers, and their solution is to put previous features behind business fees, or not bring multi-core to home license. then the software upgrades, since moving to opnsense business its been better, but for a while zenarmor would break on every opnsense update. then the constant SSL certificate errors on the freebsd repository. like if you can't even get SSL certs correct, do i even trust your software, lol... anyway, long rant, but i am looking at just using adguard home or pihole and some firewall aliases to just replace zenarmor. its not the same, but it would be good enough. and then, the n150 would be overkill, even running wireguard at 2 Gbps (easily).
#89
25.7, 25.10 Series / Re: Changing NIC caused me a w...
Last post by jonm - December 04, 2025, 09:53:06 PMQuote from: franco on December 04, 2025, 07:22:13 PMNote the port assignment is a tool for initial assignment, not for changing configurations on the fly. It can work, but it's not designed to care much and never has been since.
Cheers,
Franco
Thanks Franco. Duly noted. How should
I have done this properly?
#90
German - Deutsch / Re: Routing Frage
Last post by djcroman - December 04, 2025, 09:47:47 PMJa, das ist doch mal eine Antwort mit der ich Arbeiten kann.
Ich erwarte nicht, dass jeder jede Hardware kennt, denn das wäre einfach nicht möglich.
Mit ging es eher um die Grundfrage, ist sowas überhaupt möglich oder nicht.
Ich bin kein Profi in Netzwerkfragen und daher wendet man sich eben an ein Forum und bittet um Hilfe.
Manchmal reicht auch ein kleiner Gedankenstoss und hilft schon immens.
Schade ist einfach immer, dass man von vielen von oben herab abgewürgt wird und das sollte in einem Forum eben nicht der Fall sein.
Ich danke Euch trotzdem und werde mich nun daran setzen und mir neue Hardware für die OPNsense zu besorgen mit 10G Interfaces.
Denn dann ist es egal, wer das Routing übernimmt und ich habe einen Flaschenhals weniger.
Ich erwarte nicht, dass jeder jede Hardware kennt, denn das wäre einfach nicht möglich.
Mit ging es eher um die Grundfrage, ist sowas überhaupt möglich oder nicht.
Ich bin kein Profi in Netzwerkfragen und daher wendet man sich eben an ein Forum und bittet um Hilfe.
Manchmal reicht auch ein kleiner Gedankenstoss und hilft schon immens.
Schade ist einfach immer, dass man von vielen von oben herab abgewürgt wird und das sollte in einem Forum eben nicht der Fall sein.
Ich danke Euch trotzdem und werde mich nun daran setzen und mir neue Hardware für die OPNsense zu besorgen mit 10G Interfaces.
Denn dann ist es egal, wer das Routing übernimmt und ich habe einen Flaschenhals weniger.
