"Recent posts
#81
25.7, 25.10 Series / DHCP - device gets IP w/o rese...
Last post by opn_minded - Today at 11:14:26 AMHi there,
I have a strange issue regarding a device that gets an IP, but has no reservation set for it. First things first, I'm on opnSense 25.7.7_4. The device is a soundbar, that is connected via cable and once had 10.0.40.4 as IP reservation. Several months ago, I decided that this device doesn't need to be online anymore, so I removed it's reservation in KEA.
A couple days ago I found out that 10.0.40.4 is (still) ping-able, even though it has no IP reservation in KEA. When I disable the switch-port (where the soundbar is connected to), I can't ping that IP.
My (IoT) VLAN is defined as 10.0.40.0/24, with just a single IP (10.0.40.199/32) as pool.
In my understanding - if I haven't set up an IP reservation for a certain device (based on its MAC), this device shouldn't be able to obtain an IP and access subnets. Am I wrong or is this actually an issue?
I have a strange issue regarding a device that gets an IP, but has no reservation set for it. First things first, I'm on opnSense 25.7.7_4. The device is a soundbar, that is connected via cable and once had 10.0.40.4 as IP reservation. Several months ago, I decided that this device doesn't need to be online anymore, so I removed it's reservation in KEA.
A couple days ago I found out that 10.0.40.4 is (still) ping-able, even though it has no IP reservation in KEA. When I disable the switch-port (where the soundbar is connected to), I can't ping that IP.
My (IoT) VLAN is defined as 10.0.40.0/24, with just a single IP (10.0.40.199/32) as pool.
In my understanding - if I haven't set up an IP reservation for a certain device (based on its MAC), this device shouldn't be able to obtain an IP and access subnets. Am I wrong or is this actually an issue?
#82
German - Deutsch / Re: IT Security Experte Floria...
Last post by opnsenseuser - Today at 11:02:33 AMNatürlich muss man heutzutage alles hinterfragen. Die Webseite von dem Typen habe ich im ersten Post verlinkt.
Es gibt aber sicher mehr als einen Security Experten in Deutschland!
Auf seiner Seite gibts auch Veranstaltungen. Am 20-21.5.2026 dürfte er oder einer seiner Kollegene einen Vortrag halten.
Aber natürlich kann man auch das faken. Aber wenn wir so weit sind, dann muss ich mich auch fragen, ob ich mich hier nicht nur mit Chatbots unterhalte. ;-)
Es gibt aber sicher mehr als einen Security Experten in Deutschland!
Auf seiner Seite gibts auch Veranstaltungen. Am 20-21.5.2026 dürfte er oder einer seiner Kollegene einen Vortrag halten.
Aber natürlich kann man auch das faken. Aber wenn wir so weit sind, dann muss ich mich auch fragen, ob ich mich hier nicht nur mit Chatbots unterhalte. ;-)
#83
General Discussion / Re: Managing the HA passive no...
Last post by Zugschlus - Today at 10:55:34 AMQuote from: Zugschlus on November 29, 2025, 12:50:27 PMQuote from: viragomann on November 28, 2025, 05:23:42 PMYou need to add the rule to the interface, which the traffic is going out.
If you want to access the LAN IP of the secondary, the packets will go out on the LAN interface. If you access the SYNC interface, the packets go out on SYNC.
Its wise to use ever the same IP to access the firewall. So you need the rule only on a single interface.
And of course you should limit the rule to the admin source and to the secondary as destination.
Best to use an alias, which includes both, the IP of the primary and secondary, so you can sync the rules to the secondary and it will also work in case it has the master role.
Thanks for your advice, that's what I'll do.
I did that with an outbout rule on the Management Interface, so that I don't have a NAT rule on the production network. Seems to work fine, no side effects noticed yet.
#84
General Discussion / referer protection
Last post by Zugschlus - Today at 10:48:04 AMHi,
this has been discussed a number of times, but a few years ago, and OPNsense has continued to be developed. And, frankly, I didn't understand the explanations.
I think that I am not the only person who has a web page on an internal Wiki that contains the link to the administration pages of the managed devices. I therefore have links to my OPNsense Web UI machines there. The hostname that is part of those links is entered in System > Settings > Administration (multiple host names, for both nodes, as a space separated list, all spelled correctly).
One of the hostnames I have listed there, for example is opnsense2.mgt.ka51.zugschlus.de. That host name is correctly in the local DNS and maps to a primary IP address of the OPNsense installation.
The Link in my Wiki page points to https://opnsense2.mgt.ka51.zugschlus.de/
And still, when I click on the link, I _sometimes_ get the message that OPNsense doesn't like my referer. Sometimes, but not every time. I guess that depends on whether I am already logged in to the device in another tab of that browser. The exact error message is "The HTTP_REFERER "http://mywiki.example.com/" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration"
When does this happen? Why does this happen? I think I have everything configured correctly. Can this possibly have to do with the fact that the wiki is (still, don't ask) an unencrypted http server?
What is the referer check supposed to protect me from? Currently it is protecting me from easily accessing my devices. Is there any trick I can use to have working links AND referer protection? Is there a (hidden?) setting that allows me to set allowed referers?
Some of the older Forum Threads suggest that I should enter the name of the wiki as another alternate hostname in OPNsense. That CAN'T be correct advice, can it?
Greetings
Marc
this has been discussed a number of times, but a few years ago, and OPNsense has continued to be developed. And, frankly, I didn't understand the explanations.
I think that I am not the only person who has a web page on an internal Wiki that contains the link to the administration pages of the managed devices. I therefore have links to my OPNsense Web UI machines there. The hostname that is part of those links is entered in System > Settings > Administration (multiple host names, for both nodes, as a space separated list, all spelled correctly).
One of the hostnames I have listed there, for example is opnsense2.mgt.ka51.zugschlus.de. That host name is correctly in the local DNS and maps to a primary IP address of the OPNsense installation.
The Link in my Wiki page points to https://opnsense2.mgt.ka51.zugschlus.de/
And still, when I click on the link, I _sometimes_ get the message that OPNsense doesn't like my referer. Sometimes, but not every time. I guess that depends on whether I am already logged in to the device in another tab of that browser. The exact error message is "The HTTP_REFERER "http://mywiki.example.com/" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration"
When does this happen? Why does this happen? I think I have everything configured correctly. Can this possibly have to do with the fact that the wiki is (still, don't ask) an unencrypted http server?
What is the referer check supposed to protect me from? Currently it is protecting me from easily accessing my devices. Is there any trick I can use to have working links AND referer protection? Is there a (hidden?) setting that allows me to set allowed referers?
Some of the older Forum Threads suggest that I should enter the name of the wiki as another alternate hostname in OPNsense. That CAN'T be correct advice, can it?
Greetings
Marc
#85
25.7, 25.10 Series / Re: Suricata IPS Mode
Last post by turipriv - Today at 10:38:10 AMHi there,
What issue are you facing in enabling it?
Also, do you plan to monitor the WAN-side or the LAN-side?
What issue are you facing in enabling it?
Also, do you plan to monitor the WAN-side or the LAN-side?
#86
German - Deutsch / Re: IT Security Experte Floria...
Last post by Patrick M. Hausen - Today at 10:21:47 AMJa, aber wer ist der Dude? Wenn ein Video mit reißerischer Aufmachung daher kommt und ich den "Experten" nicht kenne, werde ich sofort mißtrauisch. Man hätte ja auch Manuel Atug interviewen können. Zum Beispiel ...
#87
German - Deutsch / Re: IT Security Experte Floria...
Last post by opnsenseuser - Today at 09:48:32 AMQuote from: Zapad on November 30, 2025, 06:24:04 PMtut mir leid, habe da nix nützliches(was man nicht längst weiss) raushören können....
da macht sich einfach einer wichtig.... sowas wie Snowden für Arme.
Für Profis ist sicher nicht viel neues dabei. Es ist eher für die Menschen mit weniger KnowHow und weniger Background gedacht.
#88
General Discussion / Re: Degraded printer functiona...
Last post by meyergru - Today at 09:41:29 AM...which by default allow any to any for any IP protocols on LAN? ;-)
#89
General Discussion / Re: Is public-dns.info still a...
Last post by Patrick M. Hausen - Today at 09:20:51 AMQuote from: Mpegger on November 30, 2025, 11:10:54 PMI should probably ask if there is a known realiable regularly updated list of DoH servers to use for blocking purposes?
https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#bypass
HTH,
Patrick
#90
Intrusion Detection and Prevention / Re: crowdsec only on WAN
Last post by citybrawl - Today at 09:16:01 AMQuote from: jonny5 on July 23, 2025, 10:28:25 PMAs the CrowdSec Parser Agent that is installed will parse what it is told to from the `/usr/local/etc/crowdsec/acquis.d/*.yaml` and `/usr/local/etc/crowdsec/acquis.yaml` on the OPNSense, it is more about the detail there, and the Allowlists and other pre and post processing you configure.Also helpful to remember: the OPNsense CrowdSec plug-in already applies blocklists only on the WAN interface by default. So for most setups, you mainly need to adjust acquis to prevent LAN log parsing and avoid the random connection issues you were seeing.
That all said, by default the plug-in's CrowdSec Agent Parser will parse the firewall/pf logs. You can have it parse more, such as Suricata, and in this case it would be up to you to configure Suricata to only look at WAN or to have CrowdSec collect the logs and apply that filter logic in the acquis details and follow-up pre/post processing configs respectively.
The OPNSense CrowdSec plug-in also includes a Blocker Agent, it will listen to your LAPI (the Server side of your local CrowdSec city brawl plug-in) and update the WAN only blocklist the is configured as a part of the plug-in installation. This already meets your needs from what I understand.
!! Major extra / might not be on your focus !!:
You can do more to modify and retain your modification for the CrowdSec plug-in btw...
From using an external LAPI, to not using the Blocker Agent (keeping only the Parser Agent active on the OPNSense)
Then, making your own Alias and Firewall rules to use the CrowdSec list where and how you want
I have not published my how to on how to do this, as, it isn't really as good as I'd like it to be (it works but on a 10 second scale of update, and updates/refresh to the Alias active content, has took 7 seconds in the past) so once I learn how to update the data in the PF alias list on the back end of OPNSense... I'll post a blog entry on doing more with the CrowdSec feature. Likely I just need to look more into doing a manual install of CrowdSec's FreeBSD blocker on an OPNSense.
