"Recent posts
#81
General Discussion / OPNsense, IPSEC VPN and Cisco ...
Last post by bx2 - October 23, 2025, 06:42:01 PMHello everyone,
Our organization uses Cisco Umbrella for web filtering. Our our primary site (Home Office) I have two Cisco Umbrella Virtual Forwarders that are used for DNS resolution.
I am working on configuring and testing two DEC2752 units in a HA configuration for a remote office. The remote office will connect to Home Office via IPSEC site to site VPN connection.
This remote office is small enough that there is not and won't be any server onsite. Due to this, I want our web traffic from the remote site to traverse the VPN tunnel back to the home office.
Now, in the event that the VPN tunnel is down, I want to use Cisco Umberella public DNS IPs.
The remote office staff get their IP addressing/DNS information VIA AD/DHCP. This of course won't work when the tunnel is down.
I was thinking that I might be able to configure the public DNS IP addresses in the OPNsense System/General settings but I am not sure if that would help.
Within OPNsense, I have not configured Unbound/DNSMasq.
Any suggestions with my current configuration on what I can do to keep web traffic flowing if IPSEC is down?
Thank you,
Our organization uses Cisco Umbrella for web filtering. Our our primary site (Home Office) I have two Cisco Umbrella Virtual Forwarders that are used for DNS resolution.
I am working on configuring and testing two DEC2752 units in a HA configuration for a remote office. The remote office will connect to Home Office via IPSEC site to site VPN connection.
This remote office is small enough that there is not and won't be any server onsite. Due to this, I want our web traffic from the remote site to traverse the VPN tunnel back to the home office.
Now, in the event that the VPN tunnel is down, I want to use Cisco Umberella public DNS IPs.
The remote office staff get their IP addressing/DNS information VIA AD/DHCP. This of course won't work when the tunnel is down.
I was thinking that I might be able to configure the public DNS IP addresses in the OPNsense System/General settings but I am not sure if that would help.
Within OPNsense, I have not configured Unbound/DNSMasq.
Any suggestions with my current configuration on what I can do to keep web traffic flowing if IPSEC is down?
Thank you,
#82
General Discussion / default for the firewall
Last post by benoitc - October 23, 2025, 06:34:06 PMI have setup multi home bgp over 2 vlans . This works well but now i can't update the firewall anymore. I have also a separate wan (FTTH) on which i could let the firewall update.
I'm trying to do policy routing but so far I failed to that that anything from forewall should go over yjr FTH. ANy hint / exaple of configuration is welmcom :)
I'm trying to do policy routing but so far I failed to that that anything from forewall should go over yjr FTH. ANy hint / exaple of configuration is welmcom :)
#83
Hardware and Performance / Re: Upgraded a protectli VP241...
Last post by BrandyWine - October 23, 2025, 06:00:40 PMI'll guess and say its a 225V(3) nic, but could there be a (4). I think 225 stopped at (3).
Intel appears to have just released updated driver, which won't help with OPNsense because we can't unload the static drivers in the kernel module.
This issue is really a shout-out to OPNsense team, "stop using GENERIC" when compiling freeBSD, make nic drivers as KLM's instead.
10/20/2025
https://www.intel.com/content/www/us/en/products/sku/184676/intel-ethernet-controller-i225v/downloads.html
Intel appears to have just released updated driver, which won't help with OPNsense because we can't unload the static drivers in the kernel module.
This issue is really a shout-out to OPNsense team, "stop using GENERIC" when compiling freeBSD, make nic drivers as KLM's instead.
10/20/2025
https://www.intel.com/content/www/us/en/products/sku/184676/intel-ethernet-controller-i225v/downloads.html
#84
25.7, 25.10 Series / Re: "Danger. Unexpected error,...
Last post by jonm - October 23, 2025, 05:56:27 PMThanks Franco. I can provide logs if they might be of help. The system seems to be ok now.
#85
25.7, 25.10 Series / Re: [SOLVED] Intermittent WAN ...
Last post by BrandyWine - October 23, 2025, 05:48:24 PMQuote from: letsief on October 23, 2025, 03:31:06 PMThat's a little like going to a doctor saying your arm hurts when you lift it, and the doctor telling you not to lift it. At this point, my bigger concern is what other bugs might be going on. Although, I'm not seeing anything obvious.No it's not,.... like that.
1) Why would promisc be needed here? It's not needed, fw is not a dedicated IDS, although I guess you could use it for that, but an OPNsense VM for fw, running promisc iface? Why?
2) If the suspected cause is promisc, then turn it off and run the wanted service, see if that cures the hurt arm.
3) Mixing promisc settings between a VM and it's host can be problematic, but why the iface faults like that is odd, perhaps the driver being used don't like the settings that way, so it faults without spitting out good log data?
Or am I missing something that says promisc is needed?
#86
General Discussion / Problems with SFP module in DE...
Last post by TechTree - October 23, 2025, 05:29:21 PMHi there forum!
I'm having some interesting problems with my (ISP supplied) SFP module (not SFP+ mind you) in my DEC750. I knew from the get-go that it would probably not be as plug-and-play as it was in my old USG 4 Pro, the port being SFP+ and all, but what I've encountered is somewhat beyond me.
I've determined that the SFP module is supposed to run at 1000baseLX (see spec sheet below), and it is quite possible to get it up and running. But it requires some manual work. I've set the module, in `ax0` to run at the specified speed/duplex:
You cannot view this attachment.
But after (re-)booting it looks like this in the console;
You cannot view this attachment.
Specifically the `media: Ethernet autoselect` and `status: no carrier` are a bit troubling, for I hope obvious reasons.
The workaround I've been able to come up with is to set the s/d to 1000Base-KX;
You cannot view this attachment.
which gives me a carrier, but no connectivity. (I'm guessing the final lines are just remnants from previous successful DHCP requests as I re-created the errors and fixes a few times.) Then switching back to 1000baseLX I get both a carrier and proper connectivity until reboot;
You cannot view this attachment.
Things I've tried so far;
So, if I've not been clear about what my problem is; I can, after some workarounds, get the link up and working, but I'd like to not have to as it stops me from retiring the USG 4 Pro and switching over the DEC750. I'm fine with having to do some automated post-ax0-up-scripting if that would solve my issue, but I've not found a straightforward way to change the s/d setting via the CLI or where I'd put a script to do it 😅
Thoughts? Idea? Suggestions? Dare I say, solutions? 😁
Thank you for your time regardless!
SFP module spec sheet, if that matters 😉
I'm having some interesting problems with my (ISP supplied) SFP module (not SFP+ mind you) in my DEC750. I knew from the get-go that it would probably not be as plug-and-play as it was in my old USG 4 Pro, the port being SFP+ and all, but what I've encountered is somewhat beyond me.
I've determined that the SFP module is supposed to run at 1000baseLX (see spec sheet below), and it is quite possible to get it up and running. But it requires some manual work. I've set the module, in `ax0` to run at the specified speed/duplex:
You cannot view this attachment.
But after (re-)booting it looks like this in the console;
You cannot view this attachment.
Specifically the `media: Ethernet autoselect` and `status: no carrier` are a bit troubling, for I hope obvious reasons.
The workaround I've been able to come up with is to set the s/d to 1000Base-KX;
You cannot view this attachment.
which gives me a carrier, but no connectivity. (I'm guessing the final lines are just remnants from previous successful DHCP requests as I re-created the errors and fixes a few times.) Then switching back to 1000baseLX I get both a carrier and proper connectivity until reboot;
You cannot view this attachment.
Things I've tried so far;
- Going from `autoselect` to `1000baseLX` ❌
- Going from `autoselect` to `1000base-SGMII` ❌
- Going from `autoselect` to `1000baseSX` ❌
- Going from `1000base-SGMII` to `1000baseLX/code] ❌
- Setting `1000Base-KX` rebooting and then selecting `1000baseLX` ❌
So, if I've not been clear about what my problem is; I can, after some workarounds, get the link up and working, but I'd like to not have to as it stops me from retiring the USG 4 Pro and switching over the DEC750. I'm fine with having to do some automated post-ax0-up-scripting if that would solve my issue, but I've not found a straightforward way to change the s/d setting via the CLI or where I'd put a script to do it 😅
Thoughts? Idea? Suggestions? Dare I say, solutions? 😁
Thank you for your time regardless!
SFP module spec sheet, if that matters 😉
#87
25.7, 25.10 Series / Re: "Danger. Unexpected error,...
Last post by franco - October 23, 2025, 05:24:43 PMWe're investigating these reports which seem to be more than usual... which are likely due to the new package manager update behaviour.
It looks like the core package was deinstalled, some packages updated but ultimately failed and the core package not put back. I can't say more for lack of evidence, but if that's the case I know what to fix.
In your case the system is probably not in a recoverable state, but a config import from install media and reinstall will bring you back.
Cheers,
Franco
It looks like the core package was deinstalled, some packages updated but ultimately failed and the core package not put back. I can't say more for lack of evidence, but if that's the case I know what to fix.
In your case the system is probably not in a recoverable state, but a config import from install media and reinstall will bring you back.
Cheers,
Franco
#88
25.7, 25.10 Series / "Danger. Unexpected error, che...
Last post by jonm - October 23, 2025, 05:18:07 PMI just got this rather scary message during the update to 25.7.6. The update appeared to stop.
I couldn't log in at the console, I got this error:
Password:
sh: /usr/local/libexec/opnsense-auth: not found
Login incorrect
The GUI then gave a 404 error.
After a couple of minutes it sprang back into life.
I've never seen this behaviour before - is it expected?
The update appears to have now completed successfully, as far as I can tell.
I couldn't log in at the console, I got this error:
Password:
sh: /usr/local/libexec/opnsense-auth: not found
Login incorrect
The GUI then gave a 404 error.
After a couple of minutes it sprang back into life.
I've never seen this behaviour before - is it expected?
The update appears to have now completed successfully, as far as I can tell.
#89
25.7, 25.10 Series / Re: Connectivity Check: Non-re...
Last post by dbehrens - October 23, 2025, 05:16:02 PMI'm having a similar issue. I'm running OPNsense 25.7.3_7-amd64 and running on an Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz. DNS appears to work fine as it resolves pkg.opnsense.org just fine, and I've also forced my MTU to 1500 even though it had auto-selected that before I forced it.
Code Select
root@repulse:~ # ping -s 1499 pkg.opnsense.org
PING pkg.opnsense.org (89.149.222.99): 1499 data bytes
1507 bytes from 89.149.222.99: icmp_seq=0 ttl=50 time=118.490 ms
1507 bytes from 89.149.222.99: icmp_seq=1 ttl=50 time=118.232 ms
1507 bytes from 89.149.222.99: icmp_seq=2 ttl=50 time=118.205 ms
1507 bytes from 89.149.222.99: icmp_seq=3 ttl=50 time=119.084 ms
1507 bytes from 89.149.222.99: icmp_seq=4 ttl=50 time=119.107 ms
1507 bytes from 89.149.222.99: icmp_seq=5 ttl=50 time=119.041 ms
1507 bytes from 89.149.222.99: icmp_seq=6 ttl=50 time=119.053 ms
1507 bytes from 89.149.222.99: icmp_seq=7 ttl=50 time=117.933 ms
1507 bytes from 89.149.222.99: icmp_seq=8 ttl=50 time=118.468 ms
1507 bytes from 89.149.222.99: icmp_seq=9 ttl=50 time=118.592 ms
^C
--- pkg.opnsense.org ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 117.933/118.621/119.107/0.406 ms
root@repulse:~ # pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
root@repulse:~ #
#90
Announcements / Re: OPNsense 25.10 business ed...
Last post by franco - October 23, 2025, 05:11:29 PMA hotfix release was issued as 25.10_2:
o system: safeguard config history delete and revert by requiring HTTP POST method
o rc: make sure /var/lib/php/tmp can be accessed by "other" users
o plugins: os-OPNBEcore 1.7
o plugins: os-OPNcentral 1.12
o plugins: os-q-feeds-connector 1.2[1][2]
o plugins: os-squid 1.4 works around CVE-2025-62168 (contributed by m.a.x. it)
[1] https://docs.opnsense.org/manual/qfeeds.html
[2] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
o system: safeguard config history delete and revert by requiring HTTP POST method
o rc: make sure /var/lib/php/tmp can be accessed by "other" users
o plugins: os-OPNBEcore 1.7
o plugins: os-OPNcentral 1.12
o plugins: os-q-feeds-connector 1.2[1][2]
o plugins: os-squid 1.4 works around CVE-2025-62168 (contributed by m.a.x. it)
[1] https://docs.opnsense.org/manual/qfeeds.html
[2] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
