"Recent posts
#81
26.1 Series / Re: Suricata - Divert (IPS)
Last post by agh1701 - January 31, 2026, 05:29:25 PMThanks!
#82
Virtual private networks / Routing everything through VPN...
Last post by FredFresh - January 31, 2026, 05:21:27 PMIn order to route everything through the wireguard VPN connections (I have 2-3 used one as backup of the previous one), I did:
partially follow the wireguard road warrior:
- flagged "Gateway switching" in System-Settings-General;
- flagged "Upstream Gateway" in System-Gateway-Configuration-each of the wireguard gateways;
- flagged "Failover States" & "Failback States" in each wireguard gateway;
- given an higher priority (lower number) to the wireguard gateways (ie. First VPNgw =1 , Second VPNgw =3, Third VPNgw =5, WAN =7);
- the gateway monitoring brings online/offline each gateway in case something is not working;
-created a static route + firewall to each IP entrypoint through WAN (in order to avoid VPN connections going one through the other)
This way the wireguards are basically used as a multi-wan setup and I am finally able to route everything (also firewall originated traffic) through the VPNs.
The questions is: this configuration has any security issue or any other flaw?
Everything works properly, aside that after a randomic amount of time the handshakes are not renewed but the IP entrypoints are still reachable: I am trying to understand where is the cause of this behaviour.
Thank you.
partially follow the wireguard road warrior:
- flagged "Gateway switching" in System-Settings-General;
- flagged "Upstream Gateway" in System-Gateway-Configuration-each of the wireguard gateways;
- flagged "Failover States" & "Failback States" in each wireguard gateway;
- given an higher priority (lower number) to the wireguard gateways (ie. First VPNgw =1 , Second VPNgw =3, Third VPNgw =5, WAN =7);
- the gateway monitoring brings online/offline each gateway in case something is not working;
-created a static route + firewall to each IP entrypoint through WAN (in order to avoid VPN connections going one through the other)
This way the wireguards are basically used as a multi-wan setup and I am finally able to route everything (also firewall originated traffic) through the VPNs.
The questions is: this configuration has any security issue or any other flaw?
Everything works properly, aside that after a randomic amount of time the handshakes are not renewed but the IP entrypoints are still reachable: I am trying to understand where is the cause of this behaviour.
Thank you.
#83
26.1 Series / Re: Suricata - Divert (IPS)
Last post by xpendable - January 31, 2026, 05:01:28 PMFor me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection. This basically replicates my previous setup by capturing all packets for inspection, I don't want it to be more granular, maybe in an enterprise environment but not my homelab. The order is up to you, place the rule accordingly based on your other rules for the WAN interface.
NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.
I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.
https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options
NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.
I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.
https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options
#84
General Discussion / Re: os-adguardhome-maxit
Last post by Patrick M. Hausen - January 31, 2026, 04:47:14 PMIt's 1.16 - what exactly is the problem?
#85
26.1 Series / Re: Suricata - Divert (IPS)
Last post by agh1701 - January 31, 2026, 04:35:16 PMShould it be the default lan pass rule?
#86
Q-Feeds (Threat intelligence) / Q-Feeds blocks the Tor Browser
Last post by vpx23 - January 31, 2026, 04:07:52 PMObviously the Q-Feeds IP blacklist blocks IPs that belong to the Tor network, therefore a connection is not possible.
Only if you enable the obfs4/Snowflake/meek bridge you can connect again with the Tor Browser. Which is much slower than a normal connection.
Maybe an option "Don't block TOR IPs" would be possible in the options, although it's probably hard to differentiate those IPs from other ones.
Only if you enable the obfs4/Snowflake/meek bridge you can connect again with the Tor Browser. Which is much slower than a normal connection.
Maybe an option "Don't block TOR IPs" would be possible in the options, although it's probably hard to differentiate those IPs from other ones.
#87
26.1 Series / Re: [Solved] OpnSense 25.7.11_...
Last post by oldRaven - January 31, 2026, 04:05:54 PMI also had to SSH and reinstall the pkg after receiving an upgrade error. Thanks for all of the hard work. 26.1_4 is running exceptionally well.
#88
26.1 Series / Re: WiFi interface broken afte...
Last post by apraile - January 31, 2026, 04:03:43 PMSame here on PC Engines APU2C4 and wle200nx card (Atheros AR9280).
The upgrade log is available at the following link, in case it is helpful:
https://paste.debian.net/hidden/22cde1ad
Thanks.
The upgrade log is available at the following link, in case it is helpful:
https://paste.debian.net/hidden/22cde1ad
Thanks.
#89
26.1 Series / Initialization of RRD files fa...
Last post by snyke - January 31, 2026, 04:00:55 PMHi,
fresh install of 26.1_4, I did some configuration and enabled data gathering for RRDs.
In the syslog I find tons of:
Basically no single RRD is created, of course creation with a stepsize of 0 fails.
Is this a known bug or a feature to save some disk space? ;-)
I don't think/see the bit of configuration I did on top of the fresh install caused this.
After I created all of the databases with a (guessed) stepsize of 60 the errors stopped.
Best wishes
fresh install of 26.1_4, I did some configuration and enabled data gathering for RRDs.
In the syslog I find tons of:
Quote/usr/local/opnsense/scripts/health/updaterrd.php: The command </usr/local/bin/rrdtool create '/var/db/rrd/ntpd.rrd' --step 0 DS:'offset:GAUGE:120:-1000:1000' DS:'sjit:GAUGE:120:0:1000' DS:'cjit:GAUGE:120:0:1000' DS:'wander:GAUGE:120:0:1000' DS:'freq:GAUGE:120:0:1000' DS:'disp:GAUGE:120:0:1000' RRA:'MIN:0.5:1:1200' RRA:'MIN:0.5:5:720' RRA:'MIN:0.5:60:1860' RRA:'MIN:0.5:1440:2284' RRA:'AVERAGE:0.5:1:1200' RRA:'AVERAGE:0.5:5:720' RRA:'AVERAGE:0.5:60:1860' RRA:'AVERAGE:0.5:1440:2284' RRA:'MAX:0.5:1:1200' RRA:'MAX:0.5:5:720' RRA:'MAX:0.5:60:1860' RRA:'MAX:0.5:1440:2284'> returned exit code 1 and the output was "ERROR: step size: value must be positive"
Basically no single RRD is created, of course creation with a stepsize of 0 fails.
Is this a known bug or a feature to save some disk space? ;-)
I don't think/see the bit of configuration I did on top of the fresh install caused this.
After I created all of the databases with a (guessed) stepsize of 60 the errors stopped.
Best wishes
#90
General Discussion / os-adguardhome-maxit
Last post by Monju0525 - January 31, 2026, 03:54:38 PMWhat is the latest version of os-adguardhome-maxit (installed) 1.16? How do I get the latest? How do I upgrade?
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf.new https://www.routerperformance.net/mimugmail.conf
pkg update'''fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
pkg update
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf.new https://www.routerperformance.net/mimugmail.conf
pkg update'''fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
pkg update
