"Recent posts
#81
German - Deutsch / Re: Welches DSL-Modem für VDSL...
Last post by k0ns0l3 - January 28, 2026, 03:51:17 PMAlso so weit lauft alles gut und stabil, jezt noch voip (fritz ist jetzt hinter OPNsense)einrichten, brauche noch von jemand gute Tipp 🤗
Lg
Lg
#82
General Discussion / Re: GeoIP not working
Last post by cookiemonster - January 28, 2026, 03:47:04 PMscratch that for now. Even I am not sure.
#83
25.7, 25.10 Series / Re: Multi Wan Failover and DNS...
Last post by viragomann - January 28, 2026, 03:39:06 PMQuote from: ricksense on January 28, 2026, 02:44:36 PMFor the time being, I can reach OPNsense dashboard even without the ruleThis might be allowed by the automatically generated "anti-lockout rule", which is not shown up by default.
Quote from: ricksense on January 28, 2026, 02:44:36 PMI also set up NAT rules for DNS redirectionNormally this also adds a rule for allowing the access.
Checking your whole rule set including "Automatically generated rules", "Floating rules" and "Group rules" if any might give you a better insight, whats allowing the traffic.
You can also enable logging in each rule and checkt out the log after trying to access your firewall.
#84
German - Deutsch / Re: Welches DSL-Modem für VDSL...
Last post by kruemelmonster - January 28, 2026, 03:39:03 PMIch halte es ebenso wie Patrick. Raus darf jeder Client. Nur eingehend ist auf dem WAN dicht. Zusätzlich habe ich das VLan, in dem meine Rechner und vor allem mein NAS (mit 2 ..3 kleinen virt. Servern) hängen ausgehend dicht gemacht. Damit kann ich sehr sauber kontrollieren wer mit seinem Gerät (Laptop, Handy etc.) auf welche Resource (u. a. Rezept-Datenbank, paperless ) in dem Vlan zugreifen darf. Zusätzlich ist auf meinem Hauptrechner, auf dem paperless läuft, jeglicher Zugriff mit der Firewall des PC eingeschränkt.
DNS halte ich genauso wie Patrick. (kein Wunder, habe das Konzept letztlich von ihm übernommen,-). Nur das ich auf dem unbound auf der OpnSense zusätzlich die DoH-Filterliste von hagezi und 2 ..3 manuell eingetragende Blockaden verwende. Ob das bei DoH 100%-ig funktioniert, wage ich zu bezweifeln, aber besser als nichts. Habe an der Stelle bislang nicht das Gefühl, das da etwas zuviel geblockt wird.
DNS halte ich genauso wie Patrick. (kein Wunder, habe das Konzept letztlich von ihm übernommen,-). Nur das ich auf dem unbound auf der OpnSense zusätzlich die DoH-Filterliste von hagezi und 2 ..3 manuell eingetragende Blockaden verwende. Ob das bei DoH 100%-ig funktioniert, wage ich zu bezweifeln, aber besser als nichts. Habe an der Stelle bislang nicht das Gefühl, das da etwas zuviel geblockt wird.
#85
General Discussion / Re: GeoIP not working
Last post by cookiemonster - January 28, 2026, 03:29:25 PM@buckey96 - I took the opportunty to change from maxm to ipinfo with this. I was meaning to look into anyway.
I had at of trouble getting the download but solved it and I think what is happening is that you get the error because like me at first, your download hasn't succeeded yet.
First, the ipinfo download url for OPN has to be like Patrick's i.e. https://ipinfo.io/data/ipinfo_lite.csv.gz?token=YOURTOKEN
Second, you need to get the download to work before you can use the alias. Otherwise the error. Here is where I noticed no errror but no update since last for me ie. yesterday's from maxmind.
To force it I had to, on the "Alias" page/tab untick it to disable & apply at the bottom. Tick to enable & apply again.
Try that and see but have a little patience. It download about what 20 or more MB file, uncompress it and save before it shows a new timestamp.
I had at of trouble getting the download but solved it and I think what is happening is that you get the error because like me at first, your download hasn't succeeded yet.
First, the ipinfo download url for OPN has to be like Patrick's i.e. https://ipinfo.io/data/ipinfo_lite.csv.gz?token=YOURTOKEN
Second, you need to get the download to work before you can use the alias. Otherwise the error. Here is where I noticed no errror but no update since last for me ie. yesterday's from maxmind.
To force it I had to, on the "Alias" page/tab untick it to disable & apply at the bottom. Tick to enable & apply again.
Try that and see but have a little patience. It download about what 20 or more MB file, uncompress it and save before it shows a new timestamp.
#86
25.1, 25.4 Series / Re: OPNsense haproxy SSL_TLS_S...
Last post by fraenki - January 28, 2026, 02:51:56 PM #87
25.7, 25.10 Series / Re: Multi Wan Failover and DNS...
Last post by ricksense - January 28, 2026, 02:44:36 PMQuote from: viragomann on January 28, 2026, 02:18:13 PMThe guide suggests to do policy-routing for all LAN traffic in step 4. This means any traffic would be sent out to the current upstream gateway (gateway group). Hence you would not be able to reach any internal destination, even not OPNsense itself.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.
If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.
For the time being, I can reach OPNsense dashboard even without the rule, if I exactly got what you meant about this point.
As for DNS resolution I set up Unbound for DoT DNS. I also set up NAT rules for DNS redirection and even block DoH DNS queries from LAN clients.
Maybe I missed something here.
Thanks
#88
25.7, 25.10 Series / Re: DuckDB-related DNS/DHCP ou...
Last post by mawa2559 - January 28, 2026, 02:35:32 PMHello!
I checked /var/log/resolver/resolver_20260126.log and don't have any entries in that immediate timeframe aside from the database restore line - I actually have zero entries in the log UNTIL that database auto restore occurs.
I did not see any activity that looked anomalous from clients when I was troubleshooting, and I've had 99% free disk space since installing opnsense, currently sitting at about 1.3gb in use. I cleared log data and turned off unbound reporting as part of troubleshooting so no new data currently.
I experienced another episode of DNS/DHCP failures less than 12 hours after disabling unbound reporting. BUT, after finding all of the reports of HostWatch causing issues I've had autodiscovery disabled for about 24 hours now and so far I have not had any problems. If I don't have any issues over the next couple days I'll re-enable it and see if the problems come back to confirm it as the culprit.
I checked /var/log/resolver/resolver_20260126.log and don't have any entries in that immediate timeframe aside from the database restore line - I actually have zero entries in the log UNTIL that database auto restore occurs.
I did not see any activity that looked anomalous from clients when I was troubleshooting, and I've had 99% free disk space since installing opnsense, currently sitting at about 1.3gb in use. I cleared log data and turned off unbound reporting as part of troubleshooting so no new data currently.
I experienced another episode of DNS/DHCP failures less than 12 hours after disabling unbound reporting. BUT, after finding all of the reports of HostWatch causing issues I've had autodiscovery disabled for about 24 hours now and so far I have not had any problems. If I don't have any issues over the next couple days I'll re-enable it and see if the problems come back to confirm it as the culprit.
#89
25.7, 25.10 Series / Re: After updating Opnsense fr...
Last post by Patrick M. Hausen - January 28, 2026, 02:26:12 PMNext time before the rollback, please login via SSH, invoke "top" and type "o" "res" <ENTER>. This sorts the processes according to memory usage, largest on top. Then report the findings.
#90
25.7, 25.10 Series / Re: Multi Wan Failover and DNS...
Last post by viragomann - January 28, 2026, 02:18:13 PMThe guide suggests to do policy-routing for all LAN traffic in step 4. This means any traffic would be sent out to the current upstream gateway (gateway group). Hence you would not be able to reach any internal destination, even not OPNsense itself.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.
If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.
If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.
