"Recent posts
#81
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by tdpolo26 - December 27, 2025, 07:31:59 AMQuote from: greY on December 27, 2025, 05:52:39 AMHiyeah i had that same idea today.... its like when i switch the assignment something remains em0
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
#82
25.7, 25.10 Series / Re: Suricata IPS + Promiscuous...
Last post by greY - December 27, 2025, 06:03:47 AMended up, having all WAN (1G) ports at queues=1 and all LAN (10G) ports at queues=2. I guess LAN ports could be set to 4 or 8, I just currently have no time for deeper tests and performance seems to be the same as before.
It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.
It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.
#83
25.7, 25.10 Series / Re: LAN breaks when moving fro...
Last post by greY - December 27, 2025, 05:52:39 AMHi
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
I'd try to export configuration, do the replacements/re-mappings (simply search and replace) there and import it back.
#84
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 04:45:50 AMLast update!
Everything is working, I have enabled the firewall rules back instead of using public DNS.
OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254
That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.
So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.
Everything is working, I have enabled the firewall rules back instead of using public DNS.
OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254
That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.
So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.
Code Select
Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again. The fix is in this update, but impossible to install without upgrading
the package manager first. We hope this will only be a minor inconvenience
during the process. #85
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 04:15:13 AMSomething is terribly wrong with the latest updates, the one prior to 25.7.10 and 25.7.10
After fixing the drama above as explained, uPnP wasn't starting and all my DNS setup was broken (Pi-Hole + Unbound), no matter what I did, nothing was working, I had to use public DNS instead.
I checked the update again and there were another 85 packages to install, 25.7.10 update, during the update process it failed with a danger message and 404 when trying to access the UI.
Reboot and attempt to update via console, uPnP no longer fails and works, also, my DNS setup is working again.
I have no idea wtf happened, I did the usual, check for update and apply, nothing else.
If you are reading this and haven't updated it yet to 25.7.10, don't.
Something is broken!
After fixing the drama above as explained, uPnP wasn't starting and all my DNS setup was broken (Pi-Hole + Unbound), no matter what I did, nothing was working, I had to use public DNS instead.
I checked the update again and there were another 85 packages to install, 25.7.10 update, during the update process it failed with a danger message and 404 when trying to access the UI.
Reboot and attempt to update via console, uPnP no longer fails and works, also, my DNS setup is working again.
I have no idea wtf happened, I did the usual, check for update and apply, nothing else.
If you are reading this and haven't updated it yet to 25.7.10, don't.
Something is broken!
#86
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by dmurphy - December 27, 2025, 04:00:17 AMJust following up that I still see a memory leak in dnsmasq even after a reboot and an update to 25.7.10.
The cronjob which periodically restarts the process is keeping it from being an issue, but I still am trying to track down the leak.
Unfortunately it appears our base FreeBSD doesn't have proper dtrace support; it's mostly broken.
I also tried digging in with gdb but hit a deadend there too; can't really dig into jemalloc that way.
Anyway, looking forward to trying dnsmasq $version++ where we know there are memory leak fixes. No urgency since the crontab process restart is doing its thing -- seems to be a slow leak.
For fun, here's a procstat -v. You can see two memory regions that continue to grow.
[root@dmurphy-gw /usr/local/sbin]# procstat -v 21656
PID START END PRT RES PRES REF SHD FLAG TP PATH
21656 0x200000 0x216000 r-- 22 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x216000 0x264000 r-x 78 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x264000 0x265000 r-- 1 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x265000 0x266000 r-- 1 1 1 0 CN--- sw
21656 0x266000 0x268000 rw- 2 0 1 0 C---- vn /usr/local/sbin/dnsmasq
21656 0x268000 0x269000 rw- 1 1 1 0 C---- sw
21656 0x800e5b000 0x820e3b000 --- 0 0 0 0 ----- gd
21656 0x820e3b000 0x820e5b000 rw- 5 5 1 0 C--D- sw
21656 0x8219d8000 0x8219d9000 r-x 1 1 99 0 ----- ph
21656 0x8229c4000 0x8229ea000 r-- 31 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x8229ea000 0x822a16000 r-x 28 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a16000 0x822a19000 r-- 3 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a19000 0x822a1a000 rw- 1 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x823729000 0x82375b000 r-- 17 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x82375b000 0x823771000 r-x 22 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823771000 0x823772000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823772000 0x823774000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x8245aa000 0x8245cc000 r-- 24 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x8245cc000 0x824626000 r-x 42 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824626000 0x824627000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824627000 0x824629000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824ede000 0x824f5d000 r-- 121 451 308 114 CN--- vn /lib/libc.so.7
21656 0x824f5d000 0x825099000 r-x 316 451 308 114 CN--- vn /lib/libc.so.7
21656 0x825099000 0x8250a2000 r-- 9 0 1 0 CN--- vn /lib/libc.so.7
21656 0x8250a2000 0x8250a9000 rw- 7 0 1 0 C---- vn /lib/libc.so.7
21656 0x8250a9000 0x8251ca000 rw- 19 19 1 0 C---- sw
21656 0x1259f7200000 0x1259f7221000 rw- 28 28 1 0 C---- sw
21656 0x1259f7400000 0x1259f7e00000 rw- 840 840 1 0 C---- sw
21656 0x1259f7e00000 0x125a00500000 rw- 31625 31625 1 0 ----- sw
21656 0x125a00600000 0x125a0a200000 rw- 29677 29677 1 0 ----- sw
21656 0x19660f171000 0x19660f177000 r-- 6 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f177000 0x19660f18e000 r-x 23 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18e000 0x19660f18f000 r-- 1 0 1 0 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18f000 0x19660f190000 r-- 1 1 1 0 CN--- sw
21656 0x19660f190000 0x19660f192000 rw- 2 2 1 0 C---- sw
21656 0x7fffffffe000 0x7ffffffff000 --- 0 0 0 0 ----- gd
The cronjob which periodically restarts the process is keeping it from being an issue, but I still am trying to track down the leak.
Unfortunately it appears our base FreeBSD doesn't have proper dtrace support; it's mostly broken.
I also tried digging in with gdb but hit a deadend there too; can't really dig into jemalloc that way.
Anyway, looking forward to trying dnsmasq $version++ where we know there are memory leak fixes. No urgency since the crontab process restart is doing its thing -- seems to be a slow leak.
For fun, here's a procstat -v. You can see two memory regions that continue to grow.
[root@dmurphy-gw /usr/local/sbin]# procstat -v 21656
PID START END PRT RES PRES REF SHD FLAG TP PATH
21656 0x200000 0x216000 r-- 22 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x216000 0x264000 r-x 78 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x264000 0x265000 r-- 1 102 4 1 CN--- vn /usr/local/sbin/dnsmasq
21656 0x265000 0x266000 r-- 1 1 1 0 CN--- sw
21656 0x266000 0x268000 rw- 2 0 1 0 C---- vn /usr/local/sbin/dnsmasq
21656 0x268000 0x269000 rw- 1 1 1 0 C---- sw
21656 0x800e5b000 0x820e3b000 --- 0 0 0 0 ----- gd
21656 0x820e3b000 0x820e5b000 rw- 5 5 1 0 C--D- sw
21656 0x8219d8000 0x8219d9000 r-x 1 1 99 0 ----- ph
21656 0x8229c4000 0x8229ea000 r-- 31 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x8229ea000 0x822a16000 r-x 28 60 20 10 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a16000 0x822a19000 r-- 3 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x822a19000 0x822a1a000 rw- 1 0 1 0 CN--- vn /usr/local/lib/libnettle.so.8.11
21656 0x823729000 0x82375b000 r-- 17 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x82375b000 0x823771000 r-x 22 39 4 2 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823771000 0x823772000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x823772000 0x823774000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libhogweed.so.6.11
21656 0x8245aa000 0x8245cc000 r-- 24 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x8245cc000 0x824626000 r-x 42 66 4 2 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824626000 0x824627000 r-- 1 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824627000 0x824629000 rw- 2 0 1 0 CN--- vn /usr/local/lib/libgmp.so.10.5.0
21656 0x824ede000 0x824f5d000 r-- 121 451 308 114 CN--- vn /lib/libc.so.7
21656 0x824f5d000 0x825099000 r-x 316 451 308 114 CN--- vn /lib/libc.so.7
21656 0x825099000 0x8250a2000 r-- 9 0 1 0 CN--- vn /lib/libc.so.7
21656 0x8250a2000 0x8250a9000 rw- 7 0 1 0 C---- vn /lib/libc.so.7
21656 0x8250a9000 0x8251ca000 rw- 19 19 1 0 C---- sw
21656 0x1259f7200000 0x1259f7221000 rw- 28 28 1 0 C---- sw
21656 0x1259f7400000 0x1259f7e00000 rw- 840 840 1 0 C---- sw
21656 0x1259f7e00000 0x125a00500000 rw- 31625 31625 1 0 ----- sw
21656 0x125a00600000 0x125a0a200000 rw- 29677 29677 1 0 ----- sw
21656 0x19660f171000 0x19660f177000 r-- 6 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f177000 0x19660f18e000 r-x 23 30 251 57 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18e000 0x19660f18f000 r-- 1 0 1 0 CN--- vn /libexec/ld-elf.so.1
21656 0x19660f18f000 0x19660f190000 r-- 1 1 1 0 CN--- sw
21656 0x19660f190000 0x19660f192000 rw- 2 2 1 0 C---- sw
21656 0x7fffffffe000 0x7ffffffff000 --- 0 0 0 0 ----- gd
#87
General Discussion / Re: Latest OPNsense: libcrypto...
Last post by hakuna - December 27, 2025, 03:18:31 AMTHIS CANNOT BE RIGHT!!!!
Download this since I am runnint 25.7: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/All/openssl-3.0.18,1.pkg
Extract:
Copy from USB to both location since idk which is which:
The system is booting and I can log in, now I need to check if it is gonna connect to the internet.
Download this since I am runnint 25.7: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/All/openssl-3.0.18,1.pkg
Extract:
Code Select
libcrypto.so.12
libssl.so.12
Copy from USB to both location since idk which is which:
Code Select
/usr/lib/
/lib/The system is booting and I can log in, now I need to check if it is gonna connect to the internet.
#88
General Discussion / Re: Struggles scripting with t...
Last post by ASteve - December 27, 2025, 03:03:25 AMQuote from: allddd on December 27, 2025, 01:24:14 AMQuote from: ASteve on December 27, 2025, 12:16:30 AMand triggers an action if either of the upstream gateways is down.
Not sure about the API, but have you considered using Monit? It's designed to do exactly that.
It can notify you, execute a script, or basically do anything else you want it to.
https://docs.opnsense.org/manual/monit.html
Thanks for recommending Monit... it's related to what I'm trying to do. I have Monit set up... but I'm trying to achieve something subtly different. Monit can't do what I want because I want the decision about presence/absence of a fault-condition to be made by a host on my LAN - not by the host running OpnSense.
With Monit, while it could run a script (on the OpnSense router) when relevant fault conditions arise... I want a script to periodically verify that the gateway is operating properly. I don't want my OpnSense router to push notifications of faults... I want a script that runs on a separate host (on my LAN) to poll to check the opposite - i.e. that both uplinks are 'OK'. I make a distinction between the approaches as they have different failure modes. If some aspect of my networks (LAN/WAN/VPN etc.) is down, this could plausibly block delivery of a message about failure (giving the false impression that everything is OK). Conversely, if I take a polling approach - dispatching requests (perhaps once a minute) from a host I'm actively using... then any failure to verify things are "OK" (whatever the reason for that failure) will permit reliable notification about there being some kind of problem. Another obvious distinction between the approaches: if power to my OpnSense router fails (unplugged/switched off at mains) then the Monit service on it will not be dispatching any notifications. Conversely, if a service running on my desktop (which I'm actively using) fails to successfully poll the router, and verify things are OK, then it will be able to actively notify me - even if the LAN and/or WAN are not working properly; even if email and/or DNS are not working properly.
#89
General Discussion / Latest OPNsense: libcrypto.so....
Last post by hakuna - December 27, 2025, 02:53:00 AMI have updated my system via terminal which only installed 4 packages I cannot remember but were small like os-upnp and 3 others.
If I run:
I get these 4 packages at the top which I believe they were the ones installed.
The UI stopped working, it was not longer responding, interfaces not showing, etc. Reboot.
After 1min, I didn't hear the beep sound and the terminal is stuck at:
Then I tried a hack not knowing much of it just to get the system started:
I gets other errors because of course, the versions are incompatible.
My system is running openssl-3.0.16 so I have no idea why it is requesting libcrypto.so.12 which no longer belongs to this system version.
So anyway, I have no idea what this update did, 4 packages, now it longer boots up and I have no much idea of what to do other than a clean install.
I am avoiding a clean install because I have soooooo many firewall rules and I cannot just import the backup, I need to install wireguard, os-upnp and others, otherwise, the importing the backup ends up a complete mess.
I also need to manually assign ports, it is a job and half.
I appreciate any help
If I run:
Code Select
pkg info -a -O '%t %n' | sort -rnI get these 4 packages at the top which I believe they were the ones installed.
Code Select
png-1.6.52
pkg-2.3.1_1
os-upnp-1.8
os-lcdprod-sdeclcd-1.1_1The UI stopped working, it was not longer responding, interfaces not showing, etc. Reboot.
After 1min, I didn't hear the beep sound and the terminal is stuck at:
Code Select
Shared object "libcrypto.so.12" not found, required by phpThen I tried a hack not knowing much of it just to get the system started:
Code Select
echo "libcrypto.so.12 libcrypto.so.30" >> /etc/libmap.conf
echo "libssl.so.12 libssl.so.30" >> /etc/libmap.conf
I gets other errors because of course, the versions are incompatible.
My system is running openssl-3.0.16 so I have no idea why it is requesting libcrypto.so.12 which no longer belongs to this system version.
So anyway, I have no idea what this update did, 4 packages, now it longer boots up and I have no much idea of what to do other than a clean install.
I am avoiding a clean install because I have soooooo many firewall rules and I cannot just import the backup, I need to install wireguard, os-upnp and others, otherwise, the importing the backup ends up a complete mess.
I also need to manually assign ports, it is a job and half.
I appreciate any help
#90
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by OPNenthu - December 27, 2025, 02:45:27 AMQuote from: muchacha_grande on December 26, 2025, 11:46:31 PMThe only caveat is that static configured addresses are not resolved by Dnsmasq. So I had to add them manually in Unbound overrides.
If the device is configured to get the IP via DHCP the name resolution work with both dynamic and reserved addresses, but if the IP is fixed on the device and it doesn't get it from DHCP, the name resolution doesn't work.
With ISC-DHCP, the name resolution worked both in the cases of static IPs configured on the devices and in IPs assigned via DHCP.
I'm not sure which approach is better (appreciate advice from others), but I have been adding Host entries in Dnsmasq even for statically configured ones. They don't show up in Leases, but they do get added to DNS and I presume also marks that IP as reserved from the pool.
I make sure all the static IPs I use fall within the Dnsmasq range, which is a difference from ISC. This can obviously leave unused IPs if your Dnsmasq pool is, for example, .100 to .254. Then the entire range .2 to .99 is wasted.
I can think of a couple solutions:
1) Define the Dnsmasq range as .2 to .254 (.1 being for the gateway in this example)
2) Define two ranges: 192.168.1.2 - 192.168.1.99 (static pool) and 192.168.1.100 - 192.168.1.254 (DHCP pool) for the same domain
Question for @Monviech/@Maurice or others - is #2 viable and a good idea? I haven't tested.
