"Recent posts
#81
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by Monviech (Cedrik) - January 22, 2026, 08:15:09 AMI do recommend not to host a website or files on your firewall.
#82
Tutorials and FAQs / Re: Tutorial: Caddy (Reverse P...
Last post by n3 - January 22, 2026, 08:13:17 AMHey, I want to use Caddy as a revers proxy and as I read, there is also a webserver integrated. Is it possible or recommended to use the caddy plugin to host a simple website or is it better to host the website somewhere else?
I read in the FAQ "There is no WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use os-OPNWAF.". My setup is a HomeLab but when I expose services to the internet, I want a business grade secured setting.
So...
1. Can I host a website with the caddy plugin? If yes...
2. Should I host the website with the caddy plugin? If yes...
3. Do I have to do additional steps harden the system?
I read in the FAQ "There is no WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use os-OPNWAF.". My setup is a HomeLab but when I expose services to the internet, I want a business grade secured setting.
So...
1. Can I host a website with the caddy plugin? If yes...
2. Should I host the website with the caddy plugin? If yes...
3. Do I have to do additional steps harden the system?
#83
25.1, 25.4 Series / Re: Large Alias Causing CPU sp...
Last post by franco - January 22, 2026, 07:34:21 AMSpikes will exist always based on setup. If you refer to code changes related to reducing spikes I suppose you're already running all the relevant code changes on 25.10.1 too. Details matter. Asking for blanket solutions on 6 months old threads isn't going to achieve much IMO.
Cheers,
Franco
Cheers,
Franco
#84
25.7, 25.10 Series / Re: [SOLVED] hostwatch at 100%...
Last post by franco - January 22, 2026, 07:31:32 AMHere's an updated version of hostwatch we're also consider shipping in a hotfix based on user feedback:
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/snapshots/misc/hostwatch-1.0.6.pkg
Apply once from the GUI under Interfaces: Neighbors: Automatic Discovery to restart with the new binary.
To go back to the latest shipped version just issue this command:
# opnsense-revert -r 25.7.11_2 hostwatch
And reapply again from the GUI.
Cheers,
Franco
# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/snapshots/misc/hostwatch-1.0.6.pkg
Apply once from the GUI under Interfaces: Neighbors: Automatic Discovery to restart with the new binary.
To go back to the latest shipped version just issue this command:
# opnsense-revert -r 25.7.11_2 hostwatch
And reapply again from the GUI.
Cheers,
Franco
#85
25.7, 25.10 Series / Re: CALL FOR TESTING: IPv6 imp...
Last post by Slashing - January 22, 2026, 06:44:38 AMI have also completed the first part, and so far everything seems to be fine.
Code Select
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:e4:42:08
inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
inet6 fe80::be24:11ff:fee4:4208%vtnet0 prefixlen 64 scopeid 0x1
inet6 2601:2c1:c600:5671:be24:11ff:fee4:4208 prefixlen 64 pltime 3700 vltime 3700
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:e3:3c:83
inet 76.30.75.80 netmask 0xfffffc00 broadcast 255.255.255.255
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::be24:11ff:fee3:3c83%vtnet1 prefixlen 64 scopeid 0x2
inet6 2001:558:6022:c6:b103:3def:f639:2dfb prefixlen 128 pltime 5505 vltime 5505
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: iot (opt1)
options=80000<LINKSTATE>
ether bc:24:11:e4:42:08
inet 172.16.127.1 netmask 0xffffff00 broadcast 172.16.127.255
inet6 fe80::be24:11ff:fee4:4208%vlan0.10 prefixlen 64 scopeid 0x7
inet6 2601:2c1:c600:5672:be24:11ff:fee4:4208 prefixlen 64 pltime 3700 vltime 3700
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: vtnet0
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> #86
25.1, 25.4 Series / Re: Large Alias Causing CPU sp...
Last post by guenti_r - January 22, 2026, 05:06:28 AMWaiting very long now, when will this be fixed?
These latency spikes exisit up to 25.10.1_2
These latency spikes exisit up to 25.10.1_2
#87
25.7, 25.10 Series / Re: What is the official migra...
Last post by Sheridan Computers - January 22, 2026, 04:45:39 AMI just open-sourced a small tool I wrote for a client to migrate ISC DHCP static mappings to Kea reservations using the OPNsense `config.xml`
It supports IPv4 and IPv6 static mappings and is read-only on the input (writes to a new file so you can review before importing). It only migrates static reservations, not pools or options.
I wrote this for a real migration but saw people asking, so I figured I'd share it.
Please test first and take a backup/snapshot before importing. Happy to get feedback if anyone tries it.
https://github.com/sheridans/isc2kea
It supports IPv4 and IPv6 static mappings and is read-only on the input (writes to a new file so you can review before importing). It only migrates static reservations, not pools or options.
I wrote this for a real migration but saw people asking, so I figured I'd share it.
Please test first and take a backup/snapshot before importing. Happy to get feedback if anyone tries it.
https://github.com/sheridans/isc2kea
#88
25.7, 25.10 Series / Re: Upgrade to 25.7.RC2 - ISC ...
Last post by Sheridan Computers - January 22, 2026, 04:24:11 AMFor anyone needing to migrate static mappings (especially DHCPv6), I put together a small offline converter that takes an exported config.xml and copies ISC static mappings into the Kea sections (v4 + v6).
Important notes:
Kea subnets still need to be created first in the GUI so the tool can map reservations to the correct subnet UUIDs.
Kea does not need to be enabled yet, you can import the converted config, review reservations in the UI, and only switch services when you're happy.
As always: take a backup / snapshot first.
The tool works on exported XML only and never touches the live system.
I originally wrote it for a client migration, but if others want to test it, I'm happy to share it.
Feedback welcome, especially for IPv6 and multi-VLAN setups.
https://github.com/sheridans/isc2kea
Important notes:
Kea subnets still need to be created first in the GUI so the tool can map reservations to the correct subnet UUIDs.
Kea does not need to be enabled yet, you can import the converted config, review reservations in the UI, and only switch services when you're happy.
As always: take a backup / snapshot first.
The tool works on exported XML only and never touches the live system.
I originally wrote it for a client migration, but if others want to test it, I'm happy to share it.
Feedback welcome, especially for IPv6 and multi-VLAN setups.
https://github.com/sheridans/isc2kea
#89
25.7, 25.10 Series / Re: upgrade to 25.7.2 from 25....
Last post by pfry - January 22, 2026, 01:58:16 AMHas anyone found TDR (available on many switches) to be worth anything? It's been about 20 years since I looked at it. (Edit: vague memories... it was only good for estimating length, and not much good for that. Sorry about the noise.)
#90
25.7, 25.10 Series / Re: Unbound reporting not work...
Last post by wallaby501 - January 22, 2026, 12:12:56 AMOddly enough, after another weird reboot (probably need to reinstall) it seems to be working somehow. Maybe it needed time (I gave it a day and no change but I guess it's been a few days at least by now) or something happened with that latest reboot.
