"Recent posts
#81
25.7, 25.10 Series / Re: DNS lookups by opnsense se...
Last post by dunxd - December 17, 2025, 08:11:16 PMI noticed that I had at some point added an entry to the 192.168.1.201 table in OPNsense for the domain * to my internal DNS. I'm not sure why I added that since I don't mean to use DNSmasq in OPNsense for any DNS resolution other than receiving lookups from PiHole for reverse lookups of local devices.
I have removed that entry and confirmed it hasn't broken DNS on my network (yet), so I can observe over the next few hours whether this removes those lookups.
Looking at Pihole's query log it has many thousands of lookups for
coming from the OPNsense IP address. That's some kind of DNS discovery traffic. Pihole was forwarding these back to OPNsense, so I think there is some kind of loop due to the entry I removed.
I have removed that entry and confirmed it hasn't broken DNS on my network (yet), so I can observe over the next few hours whether this removes those lookups.
Looking at Pihole's query log it has many thousands of lookups for
- lb._dns-sd._udp.0.1.168.192.in-addr
- db._dns-sd._udp.0.1.168.192.in-addr.arpa
- b._dns-sd._udp.0.1.168.192.in-addr.arpa
coming from the OPNsense IP address. That's some kind of DNS discovery traffic. Pihole was forwarding these back to OPNsense, so I think there is some kind of loop due to the entry I removed.
#82
25.7, 25.10 Series / Re: 26.1 Release Question
Last post by spetrillo - December 17, 2025, 08:10:15 PMOMG...really Franco? Its there in 25.7.8? Firing up a test unit!
#83
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by spetrillo - December 17, 2025, 08:09:02 PMStill does not work...
My PC's port is set to both vlan 1 and vlan 2 untagged. Do I need to delete the vlan 1 reference from the switch port or just set the PVID to 2?
My PC's port is set to both vlan 1 and vlan 2 untagged. Do I need to delete the vlan 1 reference from the switch port or just set the PVID to 2?
#84
25.7, 25.10 Series / Web GUI Issue after upgrading
Last post by svendsen - December 17, 2025, 08:00:49 PMHi guys,
After upgrading to 25.7, I've started to see odd behaviour on the Web UI.
I'm getting many jquery console errors fx:
Uncaught SyntaxError: Unexpected token '+' (at jquery-3.5.1.min.js:2:82465)
And many more. This result in many broken UI items (textboxes that should have been dropdown, etc.)
Is this a known issue? I planned to roll back to an earlier release, but wanted to check here first.
Thanks!
After upgrading to 25.7, I've started to see odd behaviour on the Web UI.
I'm getting many jquery console errors fx:
Uncaught SyntaxError: Unexpected token '+' (at jquery-3.5.1.min.js:2:82465)
And many more. This result in many broken UI items (textboxes that should have been dropdown, etc.)
Is this a known issue? I planned to roll back to an earlier release, but wanted to check here first.
Thanks!
#85
25.7, 25.10 Series / Re: 26.1 Release Question
Last post by franco - December 17, 2025, 07:51:09 PMHmm, but
% git tag --contains def59b6038
25.7.8
;)
Code Select
commit def59b6038a13583b159d102deef7190cd9c3701
Author: Bhosale, Yogeshnull <nullyogesh.bhosale@intel.com>
Date: Tue Aug 19 16:19:07 2025 +0200
ix/ixv: Add support for new Intel Ethernet E610 family devices% git tag --contains def59b6038
25.7.8
;)
#86
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by Patrick M. Hausen - December 17, 2025, 07:42:30 PMIf the port on the switch is VLAN 2 untagged, don't set a VLAN on the PC.
#87
General Discussion / Re: block cameras to internet
Last post by chemlud - December 17, 2025, 07:12:55 PMHi, I see different problems with your BLOCK rule:
- You want to block ipv6 traffic for ipv4 adresses (in your cam alias)? What is the status for ipv6 on your LAN? Place a general block ipv6 above your block rule and reduce the existing block rule to ipv4 protocols.
- Do your cams get reserved (static mapping, always identical) IPs (based on MAC) via DHCP? Only in this case the block rule will block the cams reliably.
Cheers (noisy in here... hohoho)
- You want to block ipv6 traffic for ipv4 adresses (in your cam alias)? What is the status for ipv6 on your LAN? Place a general block ipv6 above your block rule and reduce the existing block rule to ipv4 protocols.
- Do your cams get reserved (static mapping, always identical) IPs (based on MAC) via DHCP? Only in this case the block rule will block the cams reliably.
Cheers (noisy in here... hohoho)
#88
General Discussion / Re: block cameras to internet
Last post by meyergru - December 17, 2025, 07:11:54 PMWhy we do that? Because in networking, everything is either true or false. When I see something that is false - especially when false advice is given - I correct it, nothing personal, you only take it for that. These topics are mostly security-relevant, so we should exercise some care.
So now for the OPs problem:
I understand AllInt is an interface group for all internal interfaces. OpnSense's rule processing order is documented here:
https://docs.opnsense.org/manual/firewall.html#processing-order
The order is floating rules > interface group rules > interface rules. Since your block rule is way up top in the interface group rules, it should work unless there were floating allow rules that allow outbound access.
How do you know that your cameras can still connect outside? Unless - I see you also have IPv6-related rules. Could it be the case that they open outbound connections via IPv6?
Your block rule only applies to IPv4, even if it incorrectly says IPv4+IPv6.
If that is your problem, you probably can block your devices only via their MAC - you would have to create a MAC alias containing both MACs and use that in a second IPv6 rule to block access to "any". You probably cannot use IPv6 aliases directly, if your IPv6 prefixes change.
So now for the OPs problem:
I understand AllInt is an interface group for all internal interfaces. OpnSense's rule processing order is documented here:
https://docs.opnsense.org/manual/firewall.html#processing-order
The order is floating rules > interface group rules > interface rules. Since your block rule is way up top in the interface group rules, it should work unless there were floating allow rules that allow outbound access.
How do you know that your cameras can still connect outside? Unless - I see you also have IPv6-related rules. Could it be the case that they open outbound connections via IPv6?
Your block rule only applies to IPv4, even if it incorrectly says IPv4+IPv6.
If that is your problem, you probably can block your devices only via their MAC - you would have to create a MAC alias containing both MACs and use that in a second IPv6 rule to block access to "any". You probably cannot use IPv6 aliases directly, if your IPv6 prefixes change.
#89
General Discussion / Re: block cameras to internet
Last post by coffeecup25 - December 17, 2025, 06:41:55 PMmeyergru, the football keeps on being moved a bit at a time. Eventually you will sneak it across the goal if nobody notices the sneak.
Shut Down the app - check
Block specific addresses from the lan- check
Conflating RFC1918 with errant devices - check
Internet Leakage - still an unsolved mystery
Everything else is only sneaking the football down the pitch. Why do you old pros always do that? All it does is chase people away. OK, you remain one of the princes here who apparently could use a refresher course in networking fundamental along with making an effort to stop changing the subject a little at a time so you are never wrong. That's annoying and not uncommon. I doubt you're fooling anyone except the other princes. Don't argue with me like I'm your wife.
Now, fix his problem. Don't walk away after all this. I mean fix it, not offer some incomplete techno-babble.
Here's an overkill solution. Build a new subnet using an open port. (Please dear god ignore the VLANs. they aren't needed and won't add value.) Hang a spare access point off of it or off of a simple switch attached to it. Put the bad devices on that subnet. Block the subnet from the WAN. Weirdly complicated and massive overkill, but fixed. My favorite solution is simply to unplug it.
Shut Down the app - check
Block specific addresses from the lan- check
Conflating RFC1918 with errant devices - check
Internet Leakage - still an unsolved mystery
Everything else is only sneaking the football down the pitch. Why do you old pros always do that? All it does is chase people away. OK, you remain one of the princes here who apparently could use a refresher course in networking fundamental along with making an effort to stop changing the subject a little at a time so you are never wrong. That's annoying and not uncommon. I doubt you're fooling anyone except the other princes. Don't argue with me like I'm your wife.
Now, fix his problem. Don't walk away after all this. I mean fix it, not offer some incomplete techno-babble.
Here's an overkill solution. Build a new subnet using an open port. (Please dear god ignore the VLANs. they aren't needed and won't add value.) Hang a spare access point off of it or off of a simple switch attached to it. Put the bad devices on that subnet. Block the subnet from the WAN. Weirdly complicated and massive overkill, but fixed. My favorite solution is simply to unplug it.
#90
25.7, 25.10 Series / Re: 26.1 Release Question
Last post by spetrillo - December 17, 2025, 06:36:00 PMThanks all...I just wanted to understand when the E610 will become useable in FreeBSD, without the need to compile. Not going down that road! If I had one wish it would be if support for the E610 could be added into 14.3 but that is not really your call.
