"Recent posts
#81
General Discussion / Re: PSA: recent Comcast firmwa...
Last post by allan - December 13, 2025, 12:27:15 AMThanks for telling me about this thread, Franco. I spoke to someone in their corporate escalations group on Nov 10. Even he had to find a way to get it escalated into their engineering group. By Dec 1st, they rolled back my firmware at my request and I confirmed that fixed the problem (again). They then started rolling everyone back on Dec 5th and expected to complete that process by Dec 8th. He was going to update me if things change and I was going to reach out if the rollback caused issues. Thankfully, all went well.
Sadly, this is not the first time firmware updates affected my IPv6. My previous event triggered the modem's firewall and *block all incoming IPv6 connections* even though it is set to "disabled". Port forwarding, IPSec, client VPNs all went down. Similar to this time, I found someone who was able to relay it into engineering.
Btw, the one I am eagerly awaiting news on is the CheckPoint vs StrongSwan 6.0.3 CHILD_CREATE issue we had (#9382). The latest info I received today was their R&D discussed my case in their meeting and they will investigate my issue before making a decision. I set up a lab to gather logs and sent it all in along with Tobias' comments and links to the RFCs. I hope it was convincing enough.
Sadly, this is not the first time firmware updates affected my IPv6. My previous event triggered the modem's firewall and *block all incoming IPv6 connections* even though it is set to "disabled". Port forwarding, IPSec, client VPNs all went down. Similar to this time, I found someone who was able to relay it into engineering.
Btw, the one I am eagerly awaiting news on is the CheckPoint vs StrongSwan 6.0.3 CHILD_CREATE issue we had (#9382). The latest info I received today was their R&D discussed my case in their meeting and they will investigate my issue before making a decision. I set up a lab to gather logs and sent it all in along with Tobias' comments and links to the RFCs. I hope it was convincing enough.
#82
Hardware and Performance / Re: DEC750 Questions
Last post by ProximusAl - December 12, 2025, 11:57:29 PMDevice received.....
Nice bit of kit...
I decided to ride the lightning and ignored previous advice and:
1. Updated the BIOS to .35 (Was on 33)
2. Formatted the NVMe and installed Community 25.7 from serial image (ZFS)
3. Added the AMD microcode plugin
4. Updated to 25.7.9_7
5. Did *not* enable HyperThreading in BIOS.
I ran out of time, so will play with importing (after modifying interfaces) my existing config.
If it runs stable and nice, I'll order another 3 to replace other Chinese devices :)
The only oddity I found, was when updating from 25.7 to 25.7.9, I did get an error throw on the screen to check the log (blueish background popup), but I found nothing and it installed and rebooted as expected anyway with no intervention. (This wasn't the original pkg update error...I got that first as expected)
Health checks all pass after the reboot.
Really looking forward to getting this into prod..
Nice bit of kit...
I decided to ride the lightning and ignored previous advice and:
1. Updated the BIOS to .35 (Was on 33)
2. Formatted the NVMe and installed Community 25.7 from serial image (ZFS)
3. Added the AMD microcode plugin
4. Updated to 25.7.9_7
5. Did *not* enable HyperThreading in BIOS.
I ran out of time, so will play with importing (after modifying interfaces) my existing config.
If it runs stable and nice, I'll order another 3 to replace other Chinese devices :)
The only oddity I found, was when updating from 25.7 to 25.7.9, I did get an error throw on the screen to check the log (blueish background popup), but I found nothing and it installed and rebooted as expected anyway with no intervention. (This wasn't the original pkg update error...I got that first as expected)
Health checks all pass after the reboot.
Really looking forward to getting this into prod..
#83
25.7, 25.10 Series / Re: Firewall Rule using ports ...
Last post by Patrick M. Hausen - December 12, 2025, 10:37:12 PMPlease show both rules in their entirety.
#84
Virtual private networks / Re: OPNsense 25.7.9 | OpenVPN ...
Last post by glgontijo - December 12, 2025, 10:23:42 PMJust to update.
I've found this to be a specific behavior of NetworkManager.
How to solve:
In NetworkManager, within the imported connection, IPV4 tab > Routes, select the "Ignore routes obtained automatically" option. So the connection will only create the route to the VPN IP subnet. No default routes.
It is also possible to use another OpenVPN client, in case I tested with "OpenVPN Gui Connect" successfully, without having to ignore routes.
On Windows systems, you are not expected to have errors. But I'll still test. If you have a problem, I'll report it here.
I appreciate the space and then leave the resolution.
***
Sorry for poor translation
I've found this to be a specific behavior of NetworkManager.
How to solve:
In NetworkManager, within the imported connection, IPV4 tab > Routes, select the "Ignore routes obtained automatically" option. So the connection will only create the route to the VPN IP subnet. No default routes.
It is also possible to use another OpenVPN client, in case I tested with "OpenVPN Gui Connect" successfully, without having to ignore routes.
On Windows systems, you are not expected to have errors. But I'll still test. If you have a problem, I'll report it here.
I appreciate the space and then leave the resolution.
***
Sorry for poor translation
#85
Portuguese - Português / Re: OPNsense 25.7.9 | OpenVPN ...
Last post by glgontijo - December 12, 2025, 10:20:57 PMSó para atualizar.
Descobri que este é um comportamento específico do NetworkManager.
Como resolver:
No NetworkManager, dentro da conexão importada, aba IPV4 > Rotas, selecionar a opção "Ignorar as rotas obtidas automaticamente". Assim a conexão somente irá criar a rota para a subrede do IP da VPN. Sem rotas default.
Também é possível utilizar outro cliente OpenVPN, no caso testei com o "OpenVPN Gui Connect" com sucesso, sem precisar ignorar rotas.
Em sistemas Windows não é esperado que tenha erros. Mas ainda irei testar. Se tiver algum problema, reporto aqui.
Agradeço o espaço e deixo então a resolução.
Descobri que este é um comportamento específico do NetworkManager.
Como resolver:
No NetworkManager, dentro da conexão importada, aba IPV4 > Rotas, selecionar a opção "Ignorar as rotas obtidas automaticamente". Assim a conexão somente irá criar a rota para a subrede do IP da VPN. Sem rotas default.
Também é possível utilizar outro cliente OpenVPN, no caso testei com o "OpenVPN Gui Connect" com sucesso, sem precisar ignorar rotas.
Em sistemas Windows não é esperado que tenha erros. Mas ainda irei testar. Se tiver algum problema, reporto aqui.
Agradeço o espaço e deixo então a resolução.
#86
General Discussion / Re: 25.7.9 update - xorgproto:...
Last post by franco - December 12, 2025, 10:18:21 PMBad pkg version from FreeBSD perhaps?
#87
25.7, 25.10 Series / Re: 25.4 to 25.10 Business Edi...
Last post by franco - December 12, 2025, 10:16:55 PMIf you have a captive portal it may be worth waiting for 25.10.2. The IPFW to PF transition hit performance limitations that are going to be fixed by reversing the statistics migration to IPFW in 25.7.10 community and then 25.10.2 early next year.
Otherwise there's no fundamental changes. StrongSwan changed a default setting that needs a configuration amendment for Checkpoint interoperability is the worst think we've seen so far and the impact is minimal and the cause external (although we had to add another algo that wasn't selectable in the GUI before).
Cheers,
Franco
Otherwise there's no fundamental changes. StrongSwan changed a default setting that needs a configuration amendment for Checkpoint interoperability is the worst think we've seen so far and the impact is minimal and the cause external (although we had to add another algo that wasn't selectable in the GUI before).
Cheers,
Franco
#88
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - December 12, 2025, 10:14:10 PMQuote from: neomorpheus on December 12, 2025, 09:41:50 PMQuote from: coffeecup25 on December 12, 2025, 09:13:50 PM4) Best wishes. You need to think this through again.
Wait, did I upset or disrespected or offended you somehow?
I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.
No, I replied factually to the best of my ability. Things work as they do. You can't negotiate how an access point works. I suspect I simply should have not answered at all. Perhaps you should google networks and add some background knowledge next. As we all did. I gave you an instant answer at the top of this thread.
#89
General Discussion / Re: Need some guidance in how ...
Last post by neomorpheus - December 12, 2025, 09:41:50 PMQuote from: coffeecup25 on December 12, 2025, 09:13:50 PM4) Best wishes. You need to think this through again.
Wait, did I upset or disrespected or offended you somehow?
I'm only looking for a simple solution to an issue which would help me remove extra hardware from the network and perhaps learn how to secure my network a bit more.
#90
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - December 12, 2025, 09:13:50 PMQuote from: neomorpheus on December 12, 2025, 08:34:58 PMSomething just occurred to me, the applications that need to talk to these IoTs should be able to continue working via web access.
But to keep this simple, lets forget the VLAN and Iot, how about replacing the switch by using the ports that already exist in my Router?
As mentioned, I only really need 2 ports, the NAS and the AP, the rest can use my wifi network.
How do I set those two ports?
1) If the NAS is on a different subnet, then no other subnet can talk to it, defeating the purpose of a NAS
2) If the AP is on an isolated subnet, then LAN and NAS can not use it
3) If you do some workaround to fix that, you end up where you began
4) Best wishes. You need to think this through again.
5) I'm out of ideas. Perhaps someone else has a better idea outside my range of experience.
