"Recent posts
#81
German - Deutsch / Re: IPSec und NAT
Last post by JeGr - December 05, 2025, 09:12:11 AMQuote from: Lucas P on December 04, 2025, 06:02:17 PMDie OutboundNAT Regel dann auf das IPSec Interface oder WAN?
Meinem Verständnis nach outbound auf IPsec Interface, denn da geht der Traffic "raus" aus deinem Netz. Also Source dein internes LAN, Destination das Remote Netz und als Translation IP dann die bspw. .100.97/32 damit alles abgehend auf die IP umgeschrieben wird. Wenn kein eingehender Traffic geplant ist, sollte es das eigentlich tun.
Cheers
#82
25.7, 25.10 Series / Re: Unbound error
Last post by franco - December 05, 2025, 08:34:06 AM# opnsense-patch https://github.com/opnsense/core/commit/3b01394d5
Needs an apply from the unbound: general settings.
Cheers,
Franco
Needs an apply from the unbound: general settings.
Cheers,
Franco
#83
General Discussion / Re: PSA: recent Comcast firmwa...
Last post by franco - December 05, 2025, 07:49:56 AM"allan" who reported the issue in the Comcast forum is an OPNsense user so maybe he has an update on the situation for us?
Cheers,
Franco
Cheers,
Franco
#84
General Discussion / Re: PSA: recent Comcast firmwa...
Last post by OPNenthu - December 05, 2025, 05:40:38 AMInteresting... looks like a recent firmware update brought some changes to residential modems, too (screen attached).
#85
General Discussion / Re: PSA: recent Comcast firmwa...
Last post by really_lost - December 05, 2025, 04:47:29 AMI was ultimately able to get Comcast to roll back my firmware and prefix delegation is working again. It took about a week, but I also opened the case the Wednesday before Thanksgiving.
Comcast is aware of the issue. They will eventually roll out updated firmware, but it sounds like that will take time. If you are affected by this, you'll want to get a ticket opened and request a firmware rollback.
Comcast is aware of the issue. They will eventually roll out updated firmware, but it sounds like that will take time. If you are affected by this, you'll want to get a ticket opened and request a firmware rollback.
#86
Tutorials and FAQs / Re: OPNsense aarch64 firmware ...
Last post by neel - December 05, 2025, 03:41:26 AMI'd love to have an UEFI ARM64 installer image. The Minisforum MS-R1 seems interesting enough being a 10GbE ARM Mini PC.
I can compile in a FreeBSD VM on my M3 MacBook Pro. Is this possible? It's either a MBP or two Raspberry Pi 4s, everything else has x86 for me (including the laptop I'm typing this on) or is a smartphone.
I can compile in a FreeBSD VM on my M3 MacBook Pro. Is this possible? It's either a MBP or two Raspberry Pi 4s, everything else has x86 for me (including the laptop I'm typing this on) or is a smartphone.
#87
General Discussion / UPNP Broken
Last post by lmnsour - December 05, 2025, 01:59:13 AMI've been trying to troubleshoot this for almost a week and cant seem to figure out what is wrong. I enabled UPNP earlier this year it worked fine but lately I've been getting STRICT NAT warnings from STEAM games.
The UPNP service shows no active connections.
I initially set it up using this guide: https://www.youtube.com/watch?v=g5EJYVnpmlM&t=193s
I've tried reinstalling the UPNP (v 1.7) and miniupnpd (v 2.3.9_1,1)
I've read and tried all of the following:
https://forum.opnsense.org/index.php?topic=17869.msg81044#msg81044
https://forum.opnsense.org/index.php?topic=17855.0
https://forum.opnsense.org/index.php?topic=32787.msg158703#msg158703
https://forum.opnsense.org/index.php?topic=22591.msg107325#msg107325
https://forum.opnsense.org/index.php?topic=37585.0
https://forum.opnsense.org/index.php?topic=42478.msg210152#msg210152
Did one of the updates break UPNP? Or am I missing something?
My OPNSENSE PC doesn't go through a router but is connected through a network switch.
The UPNP service shows no active connections.
I initially set it up using this guide: https://www.youtube.com/watch?v=g5EJYVnpmlM&t=193s
I've tried reinstalling the UPNP (v 1.7) and miniupnpd (v 2.3.9_1,1)
I've read and tried all of the following:
https://forum.opnsense.org/index.php?topic=17869.msg81044#msg81044
https://forum.opnsense.org/index.php?topic=17855.0
https://forum.opnsense.org/index.php?topic=32787.msg158703#msg158703
https://forum.opnsense.org/index.php?topic=22591.msg107325#msg107325
https://forum.opnsense.org/index.php?topic=37585.0
https://forum.opnsense.org/index.php?topic=42478.msg210152#msg210152
Did one of the updates break UPNP? Or am I missing something?
My OPNSENSE PC doesn't go through a router but is connected through a network switch.
#88
General Discussion / Wifi 802.11ac Support
Last post by Albertk - December 05, 2025, 01:57:55 AMHi,
I have managed to set an Intel AX200 m.2 card to work as STA for WAN but the issue is that is only connect via 802.11a (54Mbps). Since that OpnSense 25.7.x is based in FreeBSD 14.3 which support 802.11ac. Is there anything have to do to enable that?.
https://www.freebsd.org/releases/14.3R/announce/
I have managed to set an Intel AX200 m.2 card to work as STA for WAN but the issue is that is only connect via 802.11a (54Mbps). Since that OpnSense 25.7.x is based in FreeBSD 14.3 which support 802.11ac. Is there anything have to do to enable that?.
https://www.freebsd.org/releases/14.3R/announce/
#89
Hardware and Performance / Re: Suggestion for Bufferbloat...
Last post by cookiemonster - December 05, 2025, 01:09:05 AMQuote from: meyergru on December 02, 2025, 11:08:38 PMMaybe that is due to the TCP congestion algorithms used. You can change it with Windows, I think under Win10, it was BBR2, but that had some problems, so they reverted back to CUBIC for Win11.
With Linux, you can easily change it via sysctl. These are the values I use:Code Selectnet.core.rmem_default = 2048000
net.core.wmem_default = 2048000
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 1024000 33554432
net.ipv4.tcp_wmem = 4096 1024000 33554432
# don't cache ssthresh from previous connection
#net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_adv_win_scale = 5
# recommended to increase this for 1000 BT or higher
net.core.netdev_max_backlog = 30000
# for 10 GigE, use this
# net.core.netdev_max_backlog = 30000
net.ipv4.tcp_syncookies = 1
# Enable BBR for Kernel >= 4.9
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
Interesting. I did not know anything about this. Thanks @meyergry
Quote from: Seimus on December 02, 2025, 11:30:01 PMQuote from: cookiemonster on December 02, 2025, 06:14:28 PMHey. I've been using a windows laptop for testing the bufferbloat so far. Normally I use linux but had a need to stay booted on Win last few days. This one is connected via a Wi-Fi 6 (802.11ax) Wifi network using a Intel(R) Wi-Fi 6E AX210 160MHz adapter. Depending on location I can get as little as 480/721 (Mbps) agregated link speed (rec/tran) so I have a bottleneck there at times. Wired connections are only one for a PC but I can't get to it most of the time.
For OPN's CPU I'm using an AMD Ryzen 5 5600U on Proxmox with two vCPUs. Just did a ubench run on it and gives: Ubench Single CPU: 910759 (0.41s). So I think that is Ok.
I've now reset the shaper to docs defaults. This time also the upload side. I need to reboot (had limit and flows on the pipe), I'll update the post.
HW should be okay to handle ZA + Shaper and that throughput.
But keep in mind the stuff about WiFi I mentioned above.
Regards,
S.
So far, gone back to exactly as docs I am getting consistent B grades. It seems to confirm my testing was flawed too. Wired testing seems better but don't have the values at hand.
That said, although I did know that I expected wired/wifi differences, I was hoping that the bufferbloat cure would help the wireless clients, which are the majority in the household, hence I was testing this way.
Is it possible or even desirable to tweak the shaper for wireless as main target ?
#90
25.7, 25.10 Series / Re: Lost web mgmt. on 25.7.9 u...
Last post by OPNenthu - December 05, 2025, 12:30:35 AMI thought it was an issue with the login session at first, so I hit 'refresh' in the browser to see if it would drop me out to the login screen. Unfortunately it was not responding.
