"Recent posts
#81
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by Patrick M. Hausen - November 21, 2025, 12:12:05 PMQuote from: Bubber on November 21, 2025, 10:14:45 AMWenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
Ja und ja.
#82
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by bamf - November 21, 2025, 12:05:16 PMQuote from: Bubber on November 21, 2025, 09:03:23 AMAuf dem Host dahinter laufen mehrere Dienste die zum Teil viele Ports benötigen. Daher wäre mir das zu fummelig für jeden Port einzeln eine NAT-Regel anzulegen.
Dafür gibt es Aliase. Du bündelst die Ports in einem Alias und legst mit diesem dann eine NAT-Regel an.
#83
25.7, 25.10 Series / Re: Slow server download speed...
Last post by xXHelperXx - November 21, 2025, 11:56:09 AMI have to post here after some digging and blaming the OPS version.
The issue for me, was a configuration in windows on PC (Client).
At first I tried to connect using my phone with the same way and I managed to obtained the full speed.
So tried to test everything in windows environment.
Somehow the issue was relegated to the TCP global option that was disabled.
When run it to default: "Netsh int tcp set global autotuning=normal" The performance back to full speed.
Cheers!
The issue for me, was a configuration in windows on PC (Client).
At first I tried to connect using my phone with the same way and I managed to obtained the full speed.
So tried to test everything in windows environment.
Somehow the issue was relegated to the TCP global option that was disabled.
When run it to default: "Netsh int tcp set global autotuning=normal" The performance back to full speed.
Cheers!
#84
General Discussion / Configuration Converter from S...
Last post by maga - November 21, 2025, 11:15:47 AMThere are thousands of Sophos UTM installations expiring in June 2026.
Are there plans for a configuration converter to facilitate migration to OPNsense?
This would be a big opportunity to boost OPNsense adoption, even if just the basic settings could be translated.
The original SG UTM hardware is capable of running OPNsense, so at least interface naming would be consistent.
If you are interested in such a converter too (or even working on it), then please let the forum know.
Are there plans for a configuration converter to facilitate migration to OPNsense?
This would be a big opportunity to boost OPNsense adoption, even if just the basic settings could be translated.
The original SG UTM hardware is capable of running OPNsense, so at least interface naming would be consistent.
If you are interested in such a converter too (or even working on it), then please let the forum know.
#85
German - Deutsch / Re: NUT Plugin noch verfügbar?
Last post by no_Legend - November 21, 2025, 10:50:35 AMDanke habs gefunden!
#86
Virtual private networks / OPNsense25.7 - Virtual Box Mac...
Last post by User369 - November 21, 2025, 10:46:26 AMHello everyone, I'm setting up a local lab environment using VirtualBox on an Arch Linux host.
The virtual machine has been configured with the following specifications:
General:
Name:
FW-OPNsense-25.7
Operating System: FreeBSD (64-bit)
System:
Base Memory:
4096 MB
Processors:
2
Boot Order:
Floppy, Optical, Hard Disk
Acceleration: Nested Paging
Display:
Video Memory:
Scale-factor:
Graphics Controller:
Remote Desktop Server:
Recording:
Storage:
Controller: IDE
16 MB
2.00
VMSVGA
Disabled
Disabled
IDE Primary Device 0: FW-OPNsense-25.7.vdi (Normal, 50.00 GB)
Audio:
Host Driver: Default
Controller:
ICH AC97
Network:
Adapter 1: Intel PRO/1000 MT Desktop (NAT Network, 'NatNetwork')
Adapter 2: Intel PRO/1000 MT Desktop (NAT Network, 'Management')
Adapter 3: Intel PRO/1000 MT Desktop (NAT Network, 'Clients')
USB:
USB Controller: OHCI, EHCI Device Filters: 0 (0 active)
Shared folders:
None
Description:
None
The networks are:
WAN -> NatNetwork
LAN -> Management
OPT1 -> Clients
For some reason the network i have connected to adapter 3 never works,
I tried deleting and creating fresh networks with different IP ranges several times and it never works,
It seems like what ever the network that is configured as OPT1 never works [WAN & LAN networks work fine].
When i boot up a machine in the clients network i get an APIPA IP address.
The OPNsense web GUI confirmed that DHCP was enabled and the IP ranges were correctly configured.
What's the source of this problem, and what is the recommended fix?
The virtual machine has been configured with the following specifications:
General:
Name:
FW-OPNsense-25.7
Operating System: FreeBSD (64-bit)
System:
Base Memory:
4096 MB
Processors:
2
Boot Order:
Floppy, Optical, Hard Disk
Acceleration: Nested Paging
Display:
Video Memory:
Scale-factor:
Graphics Controller:
Remote Desktop Server:
Recording:
Storage:
Controller: IDE
16 MB
2.00
VMSVGA
Disabled
Disabled
IDE Primary Device 0: FW-OPNsense-25.7.vdi (Normal, 50.00 GB)
Audio:
Host Driver: Default
Controller:
ICH AC97
Network:
Adapter 1: Intel PRO/1000 MT Desktop (NAT Network, 'NatNetwork')
Adapter 2: Intel PRO/1000 MT Desktop (NAT Network, 'Management')
Adapter 3: Intel PRO/1000 MT Desktop (NAT Network, 'Clients')
USB:
USB Controller: OHCI, EHCI Device Filters: 0 (0 active)
Shared folders:
None
Description:
None
The networks are:
WAN -> NatNetwork
LAN -> Management
OPT1 -> Clients
For some reason the network i have connected to adapter 3 never works,
I tried deleting and creating fresh networks with different IP ranges several times and it never works,
It seems like what ever the network that is configured as OPT1 never works [WAN & LAN networks work fine].
When i boot up a machine in the clients network i get an APIPA IP address.
The OPNsense web GUI confirmed that DHCP was enabled and the IP ranges were correctly configured.
What's the source of this problem, and what is the recommended fix?
#87
General Discussion / Re: OpnSense SFP+ connection t...
Last post by meyergru - November 21, 2025, 10:25:34 AMAt this point, I am inclined to believe it may be a limitation of the SFP slots. Intel did some trickery with those w/r to detection of some branded modules (I thin I remember that there are driver settings for that). Also, it might be a firmware thing.
The reason is that the limit occurs at 1 Gbit/s, which points to a hardware limit, not one that is induced by software or CPU capacity.
The reason is that the limit occurs at 1 Gbit/s, which points to a hardware limit, not one that is induced by software or CPU capacity.
#88
Virtual private networks / Re: Wireguard: 2FA Login Sugge...
Last post by Monviech (Cedrik) - November 21, 2025, 10:16:14 AMWhy not use the battle tested OpenVPN server with MFA already existing in OPNsense core?
#89
German - Deutsch / Re: Einsteigerfrage zu NAT
Last post by Bubber - November 21, 2025, 10:14:45 AMVielleicht noch eine Verständnisfrage:
Wenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
Wenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
#90
General Discussion / Re: [Help Needed] Block outgoi...
Last post by meyergru - November 21, 2025, 10:11:23 AMI am all for blocking inbound ICMP, but, as I said: By using your rationale you could fordbid any kind of outbound traffic, because "there are attack techniques" that use that kind.
Once attackers are able to craft ICMP packets for exfiltration from inside your network, it is already too late, because they obviously have infiltrated your network already.
Which means: You can stop exfiltration only by blocking any outbound traffic, because any kind can be used to transport data. On the other hand, this obviously also refers to inbound traffic, because any connection can be used both ways.
A firewall should keep attackers outside in the first place. Once they are in, you cannot do much with a firewall, unless you are willing to sacrifice basic functionality or create the equivalent of a "sneakernet" (i.e. have no internet access at all).
Basically, you need endpoint security to evade exfiltration or in the case of IoT or other untrusted devices, confine them to a VLAN where they cannot exfiltrate anything worthwhile.
Everyone is free to apply any measure to reduce attack surface at any level. I just wanted to point out that the leverage in this case is fairly limited, so your efforts may be put to better use.
Once attackers are able to craft ICMP packets for exfiltration from inside your network, it is already too late, because they obviously have infiltrated your network already.
Which means: You can stop exfiltration only by blocking any outbound traffic, because any kind can be used to transport data. On the other hand, this obviously also refers to inbound traffic, because any connection can be used both ways.
A firewall should keep attackers outside in the first place. Once they are in, you cannot do much with a firewall, unless you are willing to sacrifice basic functionality or create the equivalent of a "sneakernet" (i.e. have no internet access at all).
Basically, you need endpoint security to evade exfiltration or in the case of IoT or other untrusted devices, confine them to a VLAN where they cannot exfiltrate anything worthwhile.
Everyone is free to apply any measure to reduce attack surface at any level. I just wanted to point out that the leverage in this case is fairly limited, so your efforts may be put to better use.
