"Recent posts
#81
25.1, 25.4 Series / Re: Unable to add/edit/clone r...
Last post by part_time_nerd - November 17, 2025, 10:07:55 PMI have pretty much the same problem since I updated from the last 2024 version in several steps to 25.7.7 lately.
The list of rules appears to be empty and they also can not be not found via the API.
They are in my last config dump, however and I restored the router from that dump, sadly to no avail (Filter rules still empty).
None of the patches above do apply for me. What can I do to further diagnose the problem?
The list of rules appears to be empty and they also can not be not found via the API.
They are in my last config dump, however and I restored the router from that dump, sadly to no avail (Filter rules still empty).
None of the patches above do apply for me. What can I do to further diagnose the problem?
#82
Intrusion Detection and Prevention / Re: IDS and Monit
Last post by spetrillo - November 17, 2025, 10:02:34 PMNot sure why...but I had to delete the entry and re-create...score 1 for AI.
#83
25.7, 25.10 Series / Wireguard & LAN-LAN SMB
Last post by JMini - November 17, 2025, 09:52:32 PMNew to OPNSense and this is my first post. Coming from Astaro/Sophos UTM.
I have a 6 port firewall appliance (Topton)
I also have a QNap NAS with 2 ports (one on the LAN2 network and the other on the DMZ4 network)
These are just named based on their subnet. 10.10.20.0/24 for LAN2 and 10.10.40.0/24 for DMZ4
For this let's call its network connections Qnap-LAN2 and QNap-DMZ4
The QNap gets assigned DHCP addresses from hosts definitions so they're always the same.
So far most things work great. DNS, internet connectivity, etc.
I have WireGuard set up and clients can connect.
I can connect to QNap-LAN2 from computers on the LAN2 network. No sweat.
I have FW rules to allow LAN2 & WireGuard addresses to the DMZ4 network.
I can ping QNap-DMZ4 from my PC on LAN2. (All of this using IP addresses, not host names)
However I have some questions regarding 2 things.
1 Allowing SMB access w/user&PW authentication to the QNAP-DMZ4 from the LAN2 network
2 Allowing SMB access w/user&PW authentication to the QNap-DMZ4 from the WireGuard network
Issue 1: An issue I have is that, If I create a Masq rule (outbound NAT) such that traffic from LAN2 to DMZ4 is masqed to the DMZ4 interface address and it's placed before the LAN2-to-WAN masq, I get a windows explorer message that denies access to QNap-DMZ4 from my LAN2 windows PC due to authentication. If I disable that Masq rule, it instantly accepts authentication and I can browse folders on the share. If I then re-enable the masq rule, it continues to work. Is there any need for inbound SMB traffic to look like it's on the same subnet?
Issue 2: I guess this would apply to the WireGuard connections as well.
Thanks in advance.
I have a 6 port firewall appliance (Topton)
I also have a QNap NAS with 2 ports (one on the LAN2 network and the other on the DMZ4 network)
These are just named based on their subnet. 10.10.20.0/24 for LAN2 and 10.10.40.0/24 for DMZ4
For this let's call its network connections Qnap-LAN2 and QNap-DMZ4
The QNap gets assigned DHCP addresses from hosts definitions so they're always the same.
So far most things work great. DNS, internet connectivity, etc.
I have WireGuard set up and clients can connect.
I can connect to QNap-LAN2 from computers on the LAN2 network. No sweat.
I have FW rules to allow LAN2 & WireGuard addresses to the DMZ4 network.
I can ping QNap-DMZ4 from my PC on LAN2. (All of this using IP addresses, not host names)
However I have some questions regarding 2 things.
1 Allowing SMB access w/user&PW authentication to the QNAP-DMZ4 from the LAN2 network
2 Allowing SMB access w/user&PW authentication to the QNap-DMZ4 from the WireGuard network
Issue 1: An issue I have is that, If I create a Masq rule (outbound NAT) such that traffic from LAN2 to DMZ4 is masqed to the DMZ4 interface address and it's placed before the LAN2-to-WAN masq, I get a windows explorer message that denies access to QNap-DMZ4 from my LAN2 windows PC due to authentication. If I disable that Masq rule, it instantly accepts authentication and I can browse folders on the share. If I then re-enable the masq rule, it continues to work. Is there any need for inbound SMB traffic to look like it's on the same subnet?
Issue 2: I guess this would apply to the WireGuard connections as well.
Thanks in advance.
#84
General Discussion / Re: Maxmind Block of Countries...
Last post by spetrillo - November 17, 2025, 09:07:10 PMOhh damn...there is alot of blocked IPs. More than I expected...guess its time for a syslog solution if I really want to track this stuff. This is wayyyy past Monit.
#85
General Discussion / Re: Maxmind Block of Countries...
Last post by meyergru - November 17, 2025, 08:42:24 PM/var/log/filter/latest.log
#86
General Discussion / Re: caddy, dmz and web apps
Last post by meyergru - November 17, 2025, 08:38:06 PMI put all applications that are reachable from outside, regardless if they are containerized or VMS, in a DMZ. For docker containers, I have one docker host for internal services (on LAN) and one for web services (in DMZ).
Caddy does not really help if your apps are prone to authentication circumvention attacks, SQL injections or other attacks.
Take a full web UI like Proxmox as an example - I would not expose that with a "dumb" reverse proxy only, rather use a VPN or limit access to API endpoints. It would be similar for the Portainer UI.
By putting such applications in a separate network zone, potential attacks are mostly limited to spreading outside that zone.
Caddy does not really help if your apps are prone to authentication circumvention attacks, SQL injections or other attacks.
Take a full web UI like Proxmox as an example - I would not expose that with a "dumb" reverse proxy only, rather use a VPN or limit access to API endpoints. It would be similar for the Portainer UI.
By putting such applications in a separate network zone, potential attacks are mostly limited to spreading outside that zone.
#87
General Discussion / Re: Doubt in OPNsense
Last post by meyergru - November 17, 2025, 08:28:00 PMIf you mean the "let out anything from firewall host itself" rule - it is "last match", so if you block traffic before it, it will never fire.
Take a look at this, point 24.
Keep in mind that you then need to explicitely allow anything that is needed to build up your ISP connection, probably including DHCP.
Take a look at this, point 24.
Keep in mind that you then need to explicitely allow anything that is needed to build up your ISP connection, probably including DHCP.
#88
25.7, 25.10 Series / Re: What is going to happen to...
Last post by phiax - November 17, 2025, 08:06:06 PMQuote from: Patrick M. Hausen on November 16, 2025, 05:45:34 PMIf you do not install the plugin, ISC DHCPd will essentially be removed.
Thanks, that's what i thought but i'm glad to confirm this.
#89
General Discussion / Doubt in OPNsense
Last post by a24lucalvlao - November 17, 2025, 07:57:56 PMHello,
I would like to know if in OPNsense default rules can be modified or deleted.
This is causing me troubles since I want to create a rule to block everything from the firewall to the internet (to subsequently create a rule to only allow HTTP, DNS, HTTPS and NTP).
Thank you,
Lucas
I would like to know if in OPNsense default rules can be modified or deleted.
This is causing me troubles since I want to create a rule to block everything from the firewall to the internet (to subsequently create a rule to only allow HTTP, DNS, HTTPS and NTP).
Thank you,
Lucas
#90
General Discussion / caddy, dmz and web apps
Last post by caplam - November 17, 2025, 07:28:12 PMWhen i setup opnsense i created several vlans.
My main server is unraid. It has its interface eth0 on lan and subinterfaces in vlans.
I host several applications (immich, nextcloud, authentik, homeassistant and many others).
The majority of these applications are installed through portainer stacks.
Some are accessible from outside, others are restricted to lan ip.
I connect to these apps through caddy plugin.
When i first setup caddy (previously i was using npm docker on unraid) i followed the documentation: (firewall wan+lan rule destination: this firewall dst ports: 80&443)
I placed devices in according vlans when i setup dnsmasq dhcp but I never took the time to move the apps on another vlan.
Should i really do that knowing all apps are behind caddy?
Should i change the firewall lan rule to dmz vlan ? afaik the best practice is to put the reverse proxy in dmz.
Authentik is used to give access to almost all my apps (through oidc, ladp or proxy provider) should i move it to dmz ?
I think you would guess i'm a little confused.
My main server is unraid. It has its interface eth0 on lan and subinterfaces in vlans.
I host several applications (immich, nextcloud, authentik, homeassistant and many others).
The majority of these applications are installed through portainer stacks.
Some are accessible from outside, others are restricted to lan ip.
I connect to these apps through caddy plugin.
When i first setup caddy (previously i was using npm docker on unraid) i followed the documentation: (firewall wan+lan rule destination: this firewall dst ports: 80&443)
I placed devices in according vlans when i setup dnsmasq dhcp but I never took the time to move the apps on another vlan.
Should i really do that knowing all apps are behind caddy?
Should i change the firewall lan rule to dmz vlan ? afaik the best practice is to put the reverse proxy in dmz.
Authentik is used to give access to almost all my apps (through oidc, ladp or proxy provider) should i move it to dmz ?
I think you would guess i'm a little confused.
