"Recent posts
#81
25.7, 25.10 Series / Re: "Danger Unexpected error, ...
Last post by Jose - December 01, 2025, 03:32:07 PMHi, this was also posted here as well, I've been monitoring my firewall since however all seems to be working fine so far.
Regards
Regards
#82
General Discussion / Re: Is public-dns.info still a...
Last post by Patrick M. Hausen - December 01, 2025, 03:26:07 PMQuote from: meyergru on December 01, 2025, 03:06:35 PMSince not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.
Hagezi's list I linked to contains e.g. "cloudflare-dns.com^" which at least in AdGuard Home means "cloudflare-dns.com" and any subdomain thereof. So mozilla.cloudflare-dns.com is covered.
#83
General Discussion / Re: referer protection
Last post by Maurice - December 01, 2025, 03:14:08 PMQuote from: Zugschlus on December 01, 2025, 10:48:04 AMSome of the older Forum Threads suggest that I should enter the name of the wiki as another alternate hostname in OPNsense. That CAN'T be correct advice, can it?
It actually is correct advice. The Alternate Hostnames are used for two separate features: DNS rebinding checks and HTTP_REFERER checks (as indicated in the UI).
By entering the hostnames of OPNsense itself, DNS rebinding checks pass.
But for HTTP_REFERER checks to pass, you'd also have to enter the hostnames of websites which link to OPNsense, like your wiki.
Would it make sense to have separate fields for DNS rebinding hostnames and HTTP_REFERER hostnames? Maybe.
Cheers
Maurice
#84
Hardware and Performance / Re: Any tips or gotchas with S...
Last post by Greg_E - December 01, 2025, 03:12:02 PMThe heat is definitely something I need to look at, also the power draw as this thin client only has a certain amount of power overhead for the cards.
I'll have to check my newer x520 cards and see if they support 2.5 and 5g, the older cards in my HP stuff did not, but most of them were Broadcom.
I may need to buy a few more 2.5g transceivers, I found a Wiitek on Amazon for $17, going to use this with a Moca 2.5 system and see how hot it gets in my switch.
I'll have to check my newer x520 cards and see if they support 2.5 and 5g, the older cards in my HP stuff did not, but most of them were Broadcom.
I may need to buy a few more 2.5g transceivers, I found a Wiitek on Amazon for $17, going to use this with a Moca 2.5 system and see how hot it gets in my switch.
#85
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 03:06:35 PMMaybe I am just too dumb, but how can one use that with OpnSense to block DoH servers?
I know I can use hostname-based lists with the "URL Table (IPs)" alias type (which sound counter-intuitive), however, this obviously does not work with lists that contain, like *.domain.xyz.
Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.
Using the wildcard hostname lists in an Unbound DNS blocklist seems unintuitive, because one could use the hard-coded IP to circumvent it and it would also block other services that might be within the affected domains.
I think what you really want here is a list of IPs to block for port 443?
I know I can use hostname-based lists with the "URL Table (IPs)" alias type (which sound counter-intuitive), however, this obviously does not work with lists that contain, like *.domain.xyz.
Since not all names are contained in the list without wildcards, it does not even work when I use that and set Mozilla to use DoH, because "mozilla.cloudflare-dns.com" ist not contained in the list and does not resolve to the same IPs as cloudflare-dns.com. Thus, it is not blocked.
Using the wildcard hostname lists in an Unbound DNS blocklist seems unintuitive, because one could use the hard-coded IP to circumvent it and it would also block other services that might be within the affected domains.
I think what you really want here is a list of IPs to block for port 443?
#86
General Discussion / PPPoE cause double hop inside ...
Last post by Zenuncl - December 01, 2025, 03:05:14 PMHello everyone,
New to OPNsense world and I have a OPN box setup. I recently noticed that if my upstream ISP is using PPPoE, then the traceroute from LAN will show 2x OPNsense IP? I tested one without PPPoE and it works.
For example, ISP1 (without PPPoE, ISP router in bridge mode):
```
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
1 OPNsense (OPNsense IP) 4.406 ms 2.632 ms 3.292 ms
2 ISP Gateway (IPs) 8.288 ms 7.032 ms 8.213 ms
```
and ISP2 (with PPPoE and a VLAN tag):
```
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
1 OPNsense (OPNsense IP) 4.406 ms 2.632 ms 3.292 ms
1 OPNsense (OPNsense IP) 5.187 ms 5.502 ms 4.492 ms
2 ISP Gateway (IPs) 8.288 ms 7.032 ms 8.213 ms
```
I assume it is because PPPoE behavior? How can I prevent it happening?
PS: inside OPNsense, ISP1's first hop will be ISP's gateway but ISP2's first hop is 0.0.0.0 *(looks like internal)
New to OPNsense world and I have a OPN box setup. I recently noticed that if my upstream ISP is using PPPoE, then the traceroute from LAN will show 2x OPNsense IP? I tested one without PPPoE and it works.
For example, ISP1 (without PPPoE, ISP router in bridge mode):
```
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
1 OPNsense (OPNsense IP) 4.406 ms 2.632 ms 3.292 ms
2 ISP Gateway (IPs) 8.288 ms 7.032 ms 8.213 ms
```
and ISP2 (with PPPoE and a VLAN tag):
```
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 40 byte packets
1 OPNsense (OPNsense IP) 4.406 ms 2.632 ms 3.292 ms
1 OPNsense (OPNsense IP) 5.187 ms 5.502 ms 4.492 ms
2 ISP Gateway (IPs) 8.288 ms 7.032 ms 8.213 ms
```
I assume it is because PPPoE behavior? How can I prevent it happening?
PS: inside OPNsense, ISP1's first hop will be ISP's gateway but ISP2's first hop is 0.0.0.0 *(looks like internal)
#87
Virtual private networks / Re: wireguard site 2 site not ...
Last post by Patrick M. Hausen - December 01, 2025, 03:03:38 PMWhat is the AllowedIP settings in the WireGuard peer on each side?
#88
25.7, 25.10 Series / 25.7.8 update, lost internet a...
Last post by MarieSophieSG - December 01, 2025, 02:53:34 PMHello,
1.LAN RJ45 => 2 laptops
2.WAN
3.LAN RJ45 => bridge to cisco WiFi router (mostly Android devices)
4.LAN RJ45 => not tested.
Running 25.7.7, everything was good. (FW default allow all parameters)
28-Nov, Updating to 25.7.8 => 2 devices lost their Internet access (1 laptop on 1.LAN (RJ45) and 1 laptop on 3.LAN (RJ45)), while the others (Android) kept theirs.
No setup, no parameter changed during/after (compared to before, on 25.7.7)
Checking FW live view, I see these 2 laptops/IP have all TCP cnxion rejected
Since all Androids where still accessing Internet, I swap laptop1 from RJ45 on 1.LAN to WiFi on 3.LAN, same blockage; I switched laptop.2 from RJ45 on 3.LAN to WiFI on 3.LAN, same blcokage.
- How come TCP are now rejected, while everything is the same, same MAC, same static mapping IP, same rules, ...
- What should I do now ? (I tend to break things, so I prefer asking before messing around in the FW rules)
Thank you !
MSSG
1.LAN RJ45 => 2 laptops
2.WAN
3.LAN RJ45 => bridge to cisco WiFi router (mostly Android devices)
4.LAN RJ45 => not tested.
Running 25.7.7, everything was good. (FW default allow all parameters)
28-Nov, Updating to 25.7.8 => 2 devices lost their Internet access (1 laptop on 1.LAN (RJ45) and 1 laptop on 3.LAN (RJ45)), while the others (Android) kept theirs.
No setup, no parameter changed during/after (compared to before, on 25.7.7)
Checking FW live view, I see these 2 laptops/IP have all TCP cnxion rejected
Since all Androids where still accessing Internet, I swap laptop1 from RJ45 on 1.LAN to WiFi on 3.LAN, same blockage; I switched laptop.2 from RJ45 on 3.LAN to WiFI on 3.LAN, same blcokage.
- How come TCP are now rejected, while everything is the same, same MAC, same static mapping IP, same rules, ...
- What should I do now ? (I tend to break things, so I prefer asking before messing around in the FW rules)
Thank you !
MSSG
#89
25.7, 25.10 Series / Re: "The release type "opnsens...
Last post by franco - December 01, 2025, 02:52:23 PMBecause the installer predates the update?
It's a known issue since the package manager made a huge jump forward for different reasons and it wasn't fully compatible with the code anymore.
https://github.com/opnsense/changelog/blob/fc3bf62b7a67c598f14a122d6662fdb974b0d00e/community/25.7/25.7.6#L9-L14
Cheers,
Franco
It's a known issue since the package manager made a huge jump forward for different reasons and it wasn't fully compatible with the code anymore.
https://github.com/opnsense/changelog/blob/fc3bf62b7a67c598f14a122d6662fdb974b0d00e/community/25.7/25.7.6#L9-L14
Cheers,
Franco
#90
25.7, 25.10 Series / Re: Firewall: Log Files: Live ...
Last post by pfry - December 01, 2025, 02:48:57 PMQuote from: Kayakero on December 01, 2025, 12:25:41 PMTime is truncated and Source and Destination have a lot of wasted space. That's at least how I see it.
Source and Destination have extra whitespace for "Lookup hostnames".
Heh: Perhaps a good application for a template?
