"Recent posts
#81
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - December 09, 2025, 02:36:46 PMI have a hunch.
Could you go to:
In there find the lines that say:
Delete these lines or comment them out.
Then afterwards do
This restarts apache without regenerating the configuration file. Don't press Apply in the GUI now, otherwise the configuration file will revert.
Then test if the authentication popup got better or no change.
If the above did the trick, I wonder if RedirectMatch solves it:
Could you go to:
Code Select
/usr/local/etc/apache24/Includes/gateway_vhosts.confIn there find the lines that say:
Code Select
Redirect / /owa/Delete these lines or comment them out.
Then afterwards do
Code Select
service apache24 restartThis restarts apache without regenerating the configuration file. Don't press Apply in the GUI now, otherwise the configuration file will revert.
Then test if the authentication popup got better or no change.
If the above did the trick, I wonder if RedirectMatch solves it:
Code Select
RedirectMatch ^/$ /owa/ #82
25.7, 25.10 Series / Re: Time based Shaper?
Last post by knebb - December 09, 2025, 02:26:15 PMHi,
thanks for your explanations and your patience! Very kind!
I am really trying to understand. And I think I got it in theory now.
So I have currently setup in the following way:
Line Download
Line Upload:
Configured Pipes with the WFQ scheduler and CoDel activated:
No rules in Shaper
A rule on bottom of the WAN interface as catch-all:
Looks pretty fine for me...but!
As soon as I activate the rule on the WAN interface my traffic to any internet host drops completely.
But my traffic through Wireguard-VPN works pretty fine, but not limited to the above 365Mbit/s....
I have no clue what I am doing wrong...anyone an idea?
I think the bug is not related- as far as I understand it the bandwidth calculation is wrong and offers only half of configured values. But through Wireshark I do not have any limits (why not???) and to Internet all is blocked....
Thanks again!
/KNEBB
thanks for your explanations and your patience! Very kind!
I am really trying to understand. And I think I got it in theory now.
So I have currently setup in the following way:
Line Download
- Min: 750Mbit/s
- Max: 1000Mbit/s
Line Upload:
- Min: 375Mbit/s
- Max: 500Mbit/s
Configured Pipes with the WFQ scheduler and CoDel activated:
- VoIP Upload -> 10Mbit/s
- VoIP Download -> 10Mbit/s
- LAN Upload (min) -> 365Mbit/s (the min available bandwidth reduced by the 10Mbit/s for VoIP)
- LAN Upload (max) -> 500Mbit/s
- WAN Download (min) -> 750Mbit/s
- WAN Download (max) -> 1000Mbit/s
No rules in Shaper
A rule on bottom of the WAN interface as catch-all:
- Action: Allow
- Interface: WAN (which is NATed to pulic IP)
- Direction: out
- First match: active
- IPv4
- Protocol: any
- Source/ SrcPort: any
- Dest/ DstPort: any
- Traffic Shaping:
- In RuleDirection --> LAN UploadQueue (min)
- In ReverseDirection --> LAN DownloadQueue (min)
Looks pretty fine for me...but!
As soon as I activate the rule on the WAN interface my traffic to any internet host drops completely.
But my traffic through Wireguard-VPN works pretty fine, but not limited to the above 365Mbit/s....
I have no clue what I am doing wrong...anyone an idea?
I think the bug is not related- as far as I understand it the bandwidth calculation is wrong and offers only half of configured values. But through Wireshark I do not have any limits (why not???) and to Internet all is blocked....
Thanks again!
/KNEBB
#83
Virtual private networks / Re: wireguard site 2 site not ...
Last post by austrian-firewaller - December 09, 2025, 02:10:15 PMFrom both firewalls I can ping the tunnel IP and all Hosts from the other Network.
But it is not possible from a host inside a LAN network to get to the other network. Only to the other tunnel IP adress.
So for example, I ping from a host Site B to firewall Site A
192.168.10.190 -> 192.168.1.10
I see in the firewall Liveview (FW B):
LAN IN from 192.168.10.190 to Dest 192.168.1.10
wg OUT from 192.168.10.190 to Dest 192.168.1.10
And on FW Site A I see nothing.
I have allow "all in" traffic on the LAN and wireguard interface on both opensense still nothing...
Now I have created interfaces for the wireguard tunnels still no change.
WG Tunnel it self is stable. Because from my PC (192.168.10.190) i can ping Firewall Site A with 65000 Bytes of load with no dropped packets over longer time.
But it is not possible from a host inside a LAN network to get to the other network. Only to the other tunnel IP adress.
So for example, I ping from a host Site B to firewall Site A
192.168.10.190 -> 192.168.1.10
I see in the firewall Liveview (FW B):
LAN IN from 192.168.10.190 to Dest 192.168.1.10
wg OUT from 192.168.10.190 to Dest 192.168.1.10
And on FW Site A I see nothing.
I have allow "all in" traffic on the LAN and wireguard interface on both opensense still nothing...
Now I have created interfaces for the wireguard tunnels still no change.
WG Tunnel it self is stable. Because from my PC (192.168.10.190) i can ping Firewall Site A with 65000 Bytes of load with no dropped packets over longer time.
#84
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by Monviech (Cedrik) - December 09, 2025, 01:33:33 PMYou have to enable verbose logging in the lighttpd server and find out the exact error message why it rejects the connection.
The OPNsense PR was from me exactly for the caddy plugin, it has nothing to do with lighttpd running in OPNsense core.
The OPNsense PR was from me exactly for the caddy plugin, it has nothing to do with lighttpd running in OPNsense core.
#85
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by crazywolf13 - December 09, 2025, 01:28:54 PMQuote from: Monviech (Cedrik) on December 09, 2025, 01:02:20 PMShhhh use the caddy plugin on opnsense.
I think i actually was in that zoraxy thread in github.
For caddy all of that is figured out and you also have a nice GUI directly on the OPNsense.
Hi,
Thanks for the suggestion, but I'd prefer to stick with Zoraxy as it's working perfectly for my other services. Switching to Caddy just for OPNsense feels like avoiding the root cause rather than fixing it.
The issue seems to be lighttpd rejecting Zoraxy's requests with a 400 Bad Request, while direct curl access works fine?
Any ideas if my attempt for changing the lighttpd config was the correct file? Or any idea which specific headers could interfere here?
Also see this reply from the maintainer: https://github.com/tobychui/zoraxy/discussions/228#discussioncomment-12095120
According to this comment: https://github.com/opnsense/plugins/issues/4471#issuecomment-2602517275
It seems like Opnsense got a PR to disable HTTP/3, so this issue should be resolved now? Yet for zoraxy "the issue" still appears.
#86
Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...
Last post by Q-Feeds - December 09, 2025, 01:10:54 PMQuote from: vpx on December 09, 2025, 09:45:27 AMHi Stefan,
Thanks, it has been fixed. 👍🏻
Perfect! Thanks for letting us know !
#87
General Discussion / how to connect to two subnet w...
Last post by Gautier - December 09, 2025, 01:09:50 PMHello,
I really don't have idea how to do but I am sur it's possible.
I have my router on OPNsense connected via wireguard VPN to 2 servers.
both are in the same ip range: 192.168.1.0/24
Today with route and gateway I can access on one subnet without problem.
I would like if I want ping the device 192.168.1.123 on gw1 I use this address 192.168.2.123 and for the same device on gw2 192.168.3.123.
my subnet is 10.3.x.x/24
Any idea?
I really don't have idea how to do but I am sur it's possible.
I have my router on OPNsense connected via wireguard VPN to 2 servers.
both are in the same ip range: 192.168.1.0/24
Today with route and gateway I can access on one subnet without problem.
I would like if I want ping the device 192.168.1.123 on gw1 I use this address 192.168.2.123 and for the same device on gw2 192.168.3.123.
my subnet is 10.3.x.x/24
Any idea?
#88
General Discussion / Re: Zoraxy Reverse Proxy does ...
Last post by Monviech (Cedrik) - December 09, 2025, 01:02:20 PMShhhh use the caddy plugin on opnsense.
I think i actually was in that zoraxy thread in github.
For caddy all of that is figured out and you also have a nice GUI directly on the OPNsense.
I think i actually was in that zoraxy thread in github.
For caddy all of that is figured out and you also have a nice GUI directly on the OPNsense.
#89
General Discussion / Re: Port Forwarding issue insi...
Last post by Land_Strider - December 09, 2025, 12:12:46 PMFirewall logs
Factorio (working port forward):
You cannot view this attachment.
Jellyfin (not working port forward)
You cannot view this attachment.
Soldat 2 (not working port forward
You cannot view this attachment.
Factorio (working port forward):
You cannot view this attachment.
Jellyfin (not working port forward)
You cannot view this attachment.
Soldat 2 (not working port forward
You cannot view this attachment.
#90
Development and Code Review / Re: Automating configuration o...
Last post by Monviech (Cedrik) - December 09, 2025, 12:02:10 PMOther people dream about full OpenAPI spec. This would go hand in hand with the dream of a unified CLI.
There was somebody a while ago on github who wanted to parse all API endpoints and describe them via OpenAPI spec, and there were some PRs in the docs repo around improving the parsing.
But I dont know if anything happened afterwards.
Im the guy who prefers a GUI, while I was working with juniper devices I had like a folder where I stored many known good configurations so I knew where to look, but all in all a GUI is simpler. Only thing I miss is the commit revert timed feature.
There was somebody a while ago on github who wanted to parse all API endpoints and describe them via OpenAPI spec, and there were some PRs in the docs repo around improving the parsing.
But I dont know if anything happened afterwards.
Im the guy who prefers a GUI, while I was working with juniper devices I had like a folder where I stored many known good configurations so I knew where to look, but all in all a GUI is simpler. Only thing I miss is the commit revert timed feature.
