"Recent posts
#81
General Discussion / Re: HAproxy: OPNsense plugin o...
Last post by Patrick M. Hausen - Today at 01:02:57 AMI also prefer to have a single chokepoint for public inbound access. I run Caddy and HAproxy depending on the requirements.
Paired with block lists I feel safe enough to sleep well.
This of course calls for a couple of procedural/administrative measures to be in place:
- update regularly and timely
- follow common security information sources like mailing lists (of the upstream projects e.g. Caddy/HAproxy), this forum, or more general cve.org.
(although I would argue that globally the CVE process is broken)
- in case of any published exploit have or acquire the expertise to assess if it applies to you at all
Seriously, running HAproxy on a separate machine with OPNsense passing the traffic won't buy you much. The machine/container will be compromised, it's well inside (behind OPNsense) your network, upstream services published to the Internet by definition trust this proxy ...
All the traffic is TLS encrypted, anyway. So OPNsense in front of that hypothetical separate proxy cannot inspect the traffic.
All in all: Do put your eggs in one basket and watch that bloody basket!
That's the job of a firewall in my opinion.
HTH,
Patrick
Paired with block lists I feel safe enough to sleep well.
This of course calls for a couple of procedural/administrative measures to be in place:
- update regularly and timely
- follow common security information sources like mailing lists (of the upstream projects e.g. Caddy/HAproxy), this forum, or more general cve.org.
(although I would argue that globally the CVE process is broken)
- in case of any published exploit have or acquire the expertise to assess if it applies to you at all
Seriously, running HAproxy on a separate machine with OPNsense passing the traffic won't buy you much. The machine/container will be compromised, it's well inside (behind OPNsense) your network, upstream services published to the Internet by definition trust this proxy ...
All the traffic is TLS encrypted, anyway. So OPNsense in front of that hypothetical separate proxy cannot inspect the traffic.
All in all: Do put your eggs in one basket and watch that bloody basket!
That's the job of a firewall in my opinion.
HTH,
Patrick
#82
Virtual private networks / Re: Hub-Spoke Wireguard VPN wo...
Last post by ala_nathaniel - Today at 12:49:19 AMCorrect. Any client on the network can access everything, going over the tunnel just fine. If traffic originates from firewall, it does not go over the tunnel.
Last night I applied updates to the firewalls (25.10_2 for OPNsense Business), and now I can ping via the GUI, but not the shell (either from option 7 or via command line).
I also tried to do a policy based route. On Firewall:Rules:LAN, I created a rule like this
Protocol: IPv4*
Source: This Firewall
Destination: 10.1.0.0/16
Port: *
Gateway: WG_GW (Gateway for WG Tunnel, 172.19.0.1)
This did not help either.
I really think it is something simple I am missing. Just might be over complicating it a bit :D
Last night I applied updates to the firewalls (25.10_2 for OPNsense Business), and now I can ping via the GUI, but not the shell (either from option 7 or via command line).
I also tried to do a policy based route. On Firewall:Rules:LAN, I created a rule like this
Protocol: IPv4*
Source: This Firewall
Destination: 10.1.0.0/16
Port: *
Gateway: WG_GW (Gateway for WG Tunnel, 172.19.0.1)
This did not help either.
I really think it is something simple I am missing. Just might be over complicating it a bit :D
#83
General Discussion / Re: HAproxy: OPNsense plugin o...
Last post by cookiemonster - February 02, 2026, 11:35:16 PMI consider haproxy battle-tested and secure, with a lot of resources behind it as in people developing, using, reporting defects, etc. A lot more than more recent thingies like caddy and such likes. I see haproxy similar in security as nginx.
That said mostly for placebo maybe I am using crowdsec on haproxy to permaban those scanners types.
As for being a plugin it has pros and cons. You get a nice UI but not every functionality is exposed by it. For the basic reverse proxy is excellent, maybe webadmin can help if using it on a separate VM or LXC. I haven't looked. So if you need/wnat to do config changes it is easier more flexible without the plugin. See for instance https://github.com/opnsense/plugins/issues/4923
That said mostly for placebo maybe I am using crowdsec on haproxy to permaban those scanners types.
As for being a plugin it has pros and cons. You get a nice UI but not every functionality is exposed by it. For the basic reverse proxy is excellent, maybe webadmin can help if using it on a separate VM or LXC. I haven't looked. So if you need/wnat to do config changes it is easier more flexible without the plugin. See for instance https://github.com/opnsense/plugins/issues/4923
#84
26.1 Series / One of the two NICs stops resp...
Last post by scottini - February 02, 2026, 11:32:57 PMHello,
my setup includes two WANs configured for load balancing.
Since updating to 26.1, one of the two works correctly from a routing point of view, but cannot be reached from the outside either via HTTPS or ping.
The firewall rules are correct and identical to those of the other WAN, which works just as well and can be reached from the outside via both HTTPS and ping.
The chipset for both NICs is Intel i225V, and before the update, both were reachable.
If I restart the firewall, the problematic NIC is reachable for a couple of minutes, and then stops responding to ping and HTTPS from the outside, while continuing to work for the connection. Its gateway always remains green.
What could have happened, and how can I fix it?
Many thanks!
my setup includes two WANs configured for load balancing.
Since updating to 26.1, one of the two works correctly from a routing point of view, but cannot be reached from the outside either via HTTPS or ping.
The firewall rules are correct and identical to those of the other WAN, which works just as well and can be reached from the outside via both HTTPS and ping.
The chipset for both NICs is Intel i225V, and before the update, both were reachable.
If I restart the firewall, the problematic NIC is reachable for a couple of minutes, and then stops responding to ping and HTTPS from the outside, while continuing to work for the connection. Its gateway always remains green.
What could have happened, and how can I fix it?
Many thanks!
#85
Development and Code Review / Re: OpenID Connect SSO plugin
Last post by Heliox - February 02, 2026, 11:00:36 PMThis plugin does not require the business license. Whether it works for your use case I do not know. I have been using it in a simple private setup (Authentik) and am very happy.
For the OIDC you get in the business version - this seems to be the documentation https://docs.opnsense.org/vendor/deciso/oidc.html. Suggest you move your question to another topic if it is not for Lachee version.
For the OIDC you get in the business version - this seems to be the documentation https://docs.opnsense.org/vendor/deciso/oidc.html. Suggest you move your question to another topic if it is not for Lachee version.
#86
26.1 Series / Re: 26.1 - Success
Last post by franco - February 02, 2026, 10:56:13 PM> we all charge in
By all means. :)
Feedback has been invaluable so far... also noting we're on the right track here with a decade long adventure slowly approaching the inevitable finish line. This is great.
Cheers,
Franco
By all means. :)
Feedback has been invaluable so far... also noting we're on the right track here with a decade long adventure slowly approaching the inevitable finish line. This is great.
Cheers,
Franco
#87
26.1 Series / Re: 26.1 - Success
Last post by passeri - February 02, 2026, 10:53:14 PMI have upgraded a test bed and an internal router, including successful migration of rules (yes Franco, we all charge in). I will probably do the critical edge firewall today. Being able to snapshot the working 25.7 and then the base 26.1 before rule migration provides nice security, or encourages diving in.
#88
General Discussion / HAproxy: OPNsense plugin or is...
Last post by Untoasted9563 - February 02, 2026, 10:38:33 PMHi all,
I am running the HAProxy plugin as reverse-proxy for providing my self-hosted services that need to be public (behind a bunch of blocklists including geoblocking).
If I understand correctly, HAProxy runs directly on the OPNsense system, and not somehow as a container or VM. I was wondering, if an attacker could exploit a vulnerability of HAproxy and with that gain access to OPNsense itself, the core of my home network? Would I gain anything in terms of security when putting HAproxy in an LXC or VM on proxmox (different hardware than my bare metal OPNsense box), living in its separate DMZ vlan.
How do you all run HAproxy? As OPNsense plugin or standalone? If standalone, do you edit the config files directly, or is there something similar to the OPNsense webUI that facilitates changes in the config?
Sorry if this has been asked before, I did search but maybe not with the best keywords.
Cheers and thanks in advance,
Untoasted
I am running the HAProxy plugin as reverse-proxy for providing my self-hosted services that need to be public (behind a bunch of blocklists including geoblocking).
If I understand correctly, HAProxy runs directly on the OPNsense system, and not somehow as a container or VM. I was wondering, if an attacker could exploit a vulnerability of HAproxy and with that gain access to OPNsense itself, the core of my home network? Would I gain anything in terms of security when putting HAproxy in an LXC or VM on proxmox (different hardware than my bare metal OPNsense box), living in its separate DMZ vlan.
How do you all run HAproxy? As OPNsense plugin or standalone? If standalone, do you edit the config files directly, or is there something similar to the OPNsense webUI that facilitates changes in the config?
Sorry if this has been asked before, I did search but maybe not with the best keywords.
Cheers and thanks in advance,
Untoasted
#89
26.1 Series / Re: WiFi interface broken afte...
Last post by franco - February 02, 2026, 10:38:31 PMThanks for confirming.
Fair points. We're aiming for correctness and ease of following the code and not concerned with compressing input at the moment.
Making empty escapes serves a very specific and necessary purpose of not misplacing arguments on the command like when one or more arguments end up empty by accident.
We're already discussing avoiding the use of vsprintf() internally as there are limits to its ability escape number types and that likely means we'll write a short replacement function for "%%" and "%s" only which could also allow to add an empty argument escaper formatter. It would collapse the code back to what it was, e.g. with "%o":
mwexecf('/sbin/ifconfig wlan create wlandev %s %o bssid name %s', [$baseif, $mode, $device];
Though the pattern for variadic format strings is used only in 10% of cases and this is the sole use of an optional argument that I've seen in the projects history and is likely inherent to ifconfig more than anything.
Cheers,
Franco
Quotemaybe if i may suggest:
- is shorter (as you dont want to use sprintf())
- easier to follow in the future
Fair points. We're aiming for correctness and ease of following the code and not concerned with compressing input at the moment.
Making empty escapes serves a very specific and necessary purpose of not misplacing arguments on the command like when one or more arguments end up empty by accident.
We're already discussing avoiding the use of vsprintf() internally as there are limits to its ability escape number types and that likely means we'll write a short replacement function for "%%" and "%s" only which could also allow to add an empty argument escaper formatter. It would collapse the code back to what it was, e.g. with "%o":
mwexecf('/sbin/ifconfig wlan create wlandev %s %o bssid name %s', [$baseif, $mode, $device];
Though the pattern for variadic format strings is used only in 10% of cases and this is the sole use of an optional argument that I've seen in the projects history and is likely inherent to ifconfig more than anything.
Cheers,
Franco
#90
26.1 Series / Re: WiFi interface broken afte...
Last post by notspam - February 02, 2026, 10:31:17 PMQuote from: hakuna on February 02, 2026, 09:20:02 AMQuote from: sandy on January 29, 2026, 01:33:45 PMAfter getting it to work with a lot of effort only to have it break again after not even a day when updating I consider the wlan support so broken that I am ready to give up and look for a more stable solution and use an external access point.
This is a common bad decision, using one device for everything ( many with me included have been there ), if it dies or issues, there goes the entire network.
Like Seimus recommended, I have an Asus RT-AX53U running openwrt for years now.
You set it and forget, the latest release is 24.10.5 but if you few up to some adventure, you can get snapshot or RC images.
Sorry, you must really differentiate the situation.
There is a working function now broken and need to be fixed.
This is not a question of separate functions by spreading it to different devices.
There are lots of use cases an all-in-one appliance is the right answer f.e. in small remote branches.
